How Does Locky Ransomware Work?

Now Reading
How Does Locky Ransomware Work?

How Does Locky Ransomware Work?

Locky Ransomware is the current big thing in malware, with a current list of millions of infected computers including high-profile businesses, hospitals, and even police departments. The malware infiltrates into user computers through email attachments, JavaScript, and even ads, where it proceeds to encrypt files, making them inaccessible to users. Unfortunately, with no Locky decryption program currently available, infected users must pay the ransom which varies between 0.25 and 1 Bitcoins ($200-$800) to restore their data. High profile users have been given much higher ransoms (as high as $17,000), and low-profile cases are not guaranteed the return of their data in exchange for paying (not all decryption keys handed out for persons who pay the ransom actually work).

But, how does this ransomware work? And what is the process?

How Does Locky Work

Locky typically relies on a user to click download or to approve a file, turn on macros, or otherwise enable the program. In some cases, it will automatically download through a JavaScript code. Once the download is complete, it will initiate an automatic download from a deep web server which installs the actual ransomware.

Temp Directory – The Locky Virus is always installed into the Temp folder (%Temp%) where it is typically saved as SVCHOST.EXE. The program removes the Zone.Identifier from the file as it is downloaded, meaning that malware programs will not see that it is a file downloaded from the Internet.

Startup – Locky Ransomware itserts itself into startup programs. This ensures that it will automatically start up any time you restart or turn on your computer.

Encryption Key – The Locky Ransomware uses one of two methods to generate a unique encryption key. In most cases it will contact the Command & Control center for its network to get a unique key. In other cases, it will generate a key on its own, which enables it to encrypt while the computer is offline and allows it to install on computers where IT have blocked Command & Control access.

Data Encryption Begins – You will start to see encrypted files if you are going through them and may see gibberish, new file extensions, or be unable to open these files. At this point, the encryption may or may not be finished, but you can try to save as much data as-is possible by copying unencrypted files to a hard drive. New file extensions commonly include items like  “.locky”, “.zepto”, “.odin”, and “.shit”. You will likely notice that your system slows down, the fan may be louder, and the computer will be hot to the touch.

Ransomware Notice – Locky finishes the encryption after a few hours and will change your wallpaper and present a file (_Locky_recover_instructions.txt) with instructions on how to recover your data. This file will specify how many bitcoins you need to access the decryption key and where to go to get the key.

Exploits – In some cases, Locky will install other viruses, may distribute data to the Internet, and may give hackers full access to your computer. In these cases, the Locky Virus was likely installed using Quant Loader, which gives the hacker near complete access to the computer.

Recovery – There is no way to decrypt files that have been encrypted by Locky Ransomware. In order to get them back, you must restore your computer from a backup or pay the ransom.

AutoLocky – AutoLocky is an AutoLT virus that encrypts your files similarly to Locky. However, this virus is much easier to decrypt, and there are multiple decryption tools for it. If you have an Autolocky ransomware infection, simply use your antivirus to remove it, install a decrypter, and get your files back.

Locky ransomware is highly malicious, difficult to get rid of, and impossible to decrypt without paying the ransom. However, paying the ransom is not a guarantee of getting your files back and experts recommend that you do not pay unless you have no other choice. If your files have been compromised by Locky and you do not have a backup, consider going to the police first before considering paying the ransom.


What's your reaction?
Love it
Want it
Like it
Had it
Hate it
About The Author
Proliferate writer, sesquipedalian, techie, Apple fangirl (don't judge),tree hugger, yogi, tea drinker, zombie hunter. Into philotherianism & philomathy. Love my job. Visit me on Google +

Leave a Reply