{"id":18343,"date":"2017-09-05T12:54:34","date_gmt":"2017-09-05T07:24:34","guid":{"rendered":"https:\/\/blog.resellerclub.com\/?p=18343"},"modified":"2026-05-21T10:47:07","modified_gmt":"2026-05-21T10:47:07","slug":"locky-ransomware-everything-you-need-to-know","status":"publish","type":"post","link":"https:\/\/www.resellerclub.com\/blog\/locky-ransomware-everything-you-need-to-know\/","title":{"rendered":"Locky Ransomware: Everything You Need to Know"},"content":{"rendered":"

What is Locky Ransomware?<\/strong><\/p>\n

After WannaCry <\/a>and Petya<\/a>, another ransomware seems to spreading like wildfire, taking a hold of computer systems all over the globe, this time it\u2019s being called Locky.<\/p>\n

The Computer Emergency and response team (CERT) under Government of India has raised an advisory on the spread of Locky Ransomware via spam emails.<\/p>\n

 <\/p>\n

\n

CERT-In published Alert regarding the spam campaign spreading Locky ransomware https:\/\/t.co\/hzbuyDLjvB<\/a><\/p>\n

\u2014 CERT-In (@IndianCERT) September 3, 2017<\/a><\/p><\/blockquote>\n

Quoted from CERT-In <\/a>Locky is a ransomware that scramble the contents of a computer or server (associated network shares, both mapped and unmapped and removable media) and demands payment to unlock it “usually by anonymous decentralized virtual currency BITCOINS”.<\/em><\/p>\n

Locky is very similar to WannaCry in the way it caused massive uproar around the world.<\/p>\n

It came into picture in early 2016 and two days ago it was reported that a new wave of spam mails have started circulating again with common to spread variants of Locky ransomware, this time penetrating Indian systems as well. Latest reports indicate that over 23 million messages have been sent in this campaign.<\/p>\n

Locky Ransomware strikes your system when you least expect it. It locks your computer system and only unlocks it when a ransom demand is paid. Locky uses AES( Advanced Encryption Standard) algorithm to encrypt your system and this is only possible once you download the malicious attachment and Enable the Macros settings.<\/p>\n

How does it propagate?<\/strong><\/p>\n

The primary mode of spreading of Locky is via spam emails. The email contains common subjects like \u2018documents\u2019, \u2018please print\u2019, \u2018photo\u2019, \u2018images\u2019, \u2018pictures\u2019 and \u2018scans\u2019 which may change depending on the target audience. Once you open this email, and click on the attachment variants of the ransomware automatically get downloaded to your computer.<\/p>\n

As soon as the variants are downloaded, your desktop background is changed with instructions to be followed and shows a \u2018.htm\u2019 file named “Lukitus[dot]htm”.
\nOnce the system is infected by Locky, all files are encrypted and string with random numbers with extension ” [.]lukitus” or “[.]diablo6” is appended to the encrypted files. Lukitus is French for \u2018locking\u2019.<\/p>\n

The instructions contain installation of TOR browser (Onion Router Network) and visiting “.onion” sites. The users are then demanded to pay 0.5 Bitcoins to avail this decryption service that\u2019s equivalent to almost Rs. 1.5 lakh (INR).<\/p>\n

Furthermore, it has been reported that a spam campaign showing links to fake dropbox sites is being used to spread Locky variants. If the pages are viewed in Chrome or Firefox, they show a fake notification stating “you don’t have the HoeflerText font”. These fake notifications had an “update” button that returns a malicious JavaScript (.js) file. [1]\n

In a nutshell, what it does is this:<\/p>\n

    \n
  1. You receive an email, with an attachment that when opened is a scrambled mess of words.<\/li>\n
  2. At the top are the words, \u2018Enable Macros if the data encoding is incorrect.\u2019<\/li>\n
  3. The moment you enable macros, instead of correcting the document, your system gets encrypted and Locky ransomware is activated and Windows ability to take live backup called Shadow copies is also compromised.<\/li>\n
  4. Your wallpaper changes to \u2018How to decrypt\u2019 message displaying image.<\/li>\n<\/ol>\n
    <\/a>
    Locky Message<\/figcaption><\/figure>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

    Recommendations against Locky:<\/b><\/p>\n

    Here is a list of recommendations advised to the users to prevent Locky from compromising your computer.<\/p>\n