Locky Virus


What is the Locky Virus

Locky Virus is a type of malware program that infects computers, encrypts data, and holds them hostage until a ransom is paid. The Locky Virus tells users that they must download TOR (a browser) and visit a website, where they will learn that they must pay in bitcoins to receive the encryption keys to retrieve their data. Like other types of ransomware, the Locky Virus primarily exists to get people to pay in exchange for getting their data back. Unfortunately, paying up does not guarantee the return of your data, and there is currently no way to decrypt your files after infection.

When it debuted in 2016 the Locky virus infected nearly half a million computers on its first day. It has since gone on to infect millions more including prominent hospital networks and the United States Office of Personnel Management.

The Necurs Botnet distributes the malware, which sends targeted emails to users disguised as invoices, Word documents, and other files, many of which are designed to make you want to download them. In some cases, the files rely on you being unaware of the technique and, in others, they are distributed through a botnet of infected computers and may come from someone you trust. Starting in late 2016, the Locky Virus had been modified to also download itself through malicious advertising (malware installed on ads) which can then go on to infect your computer without you ever clicking on anything except what you thought was a regular link.

It is one of the most significant and dangerous ransomware viruses, simply because we do not yet have a decryption program for it. In only the first year, it had already gone through numerous versions which have become more and more difficult to prevent.

How Does Locky Work

Locky typically relies on a user clicking to download or open a file, turn on macros, or otherwise enable the program. In some cases, it will automatically download through JavaScript code. Once it is initialized, it will initiate an automatic download from a deep web server which installs the actual ransomware.

Temp Directory

Installation is always in the Temp folder (%Temp%) where it is typically saved as SVCHOST.EXE. The program removes the Zone.Identifier from the file as it is downloaded, meaning that malware detection software will not see that it is a file downloaded from the Internet.


Locky inserts itself into startup programs. This ensures that it will automatically start when you restart or turn on your computer.

Encryption Key

One of two methods are used to generate a unique encryption key. In most cases, it will contact the command & control center for its network to get a unique key. In other cases, it will generate a key on its own, which enables it to encrypt while the computer is offline and allows it to install on computers where IT have blocked command & control access.

Data Encryption Begins

You will start to see encrypted files appear and may see gibberish, new file extensions, or be unable to open these files. You will likely notice that your system slows down, the fan may be louder, and the computer may be hot to the touch. This is an excellent time to power off your computer and take it to a professional to salvage your data.

Ransomware Notice

Locky finishes the encryption after a few hours and will change your wallpaper and present a file (_Locky_recover_instructions.txt) with instructions on how to recover your data. This file will specify how many bitcoins you need to pay to access the decryption key and where to go to get the key.


In some cases, Locky will install other viruses, may distribute data to the Internet, and may give hackers full access to your computer. In these cases, the virus was likely installed using Quant Loader, which provides the hacker with nearly complete access to the computer.


There is no known way to decrypt files that have been encrypted by this malware. To get them back, you must restore your computer from a backup or pay the ransom.


AutoLocky is an AutoLT virus that encrypts your files similarly to Locky. However, this virus is much easier to decrypt, and there are multiple decryption tools for it. If you have an Autolocky ransomware infection, simply use your antivirus to remove it, install a decrypter, and get your files back.

Locky Ransomware Infection Techniques

A variety of techniques are used for installation, but these are the most common.

Microsoft Word

Initial distribution of the Locky Virus was through Microsoft Word documents attached to emails. These files typically posed as invoices and demand immediate attention. However, when you click on the email and download the document, you see only symbols and strings. The document prompts you to enable Macros to view the content. When you do, the macro code installs the virus.

Locky Virus

LNK File

LNK Files are windows shortcuts that work with Windows Powershell to automate a Locky download from the web. When you open the file, it automatically sends the command to Powershell, which downloads and installs the file in the Temp folder. This download is typically distributed by email and is extremely difficult for most antivirus programs to detect.


JavaScript files can distribute Locky via email, web-based ads, and through compromised websites. The most common of these is the MRI6219316107.js file, which automates a download. To reduce your risk, ensure that your antivirus is up to date, update all of your programs and apps, double check your browser extensions, and ensure that you are using a strong firewall on your computer.


Locky Virus is commonly being distributed via zipped email attachments. As a general rule, you should avoid downloading zipped email attachments unless you know who they are from and are expecting the attachment. If you are uncertain or are not expecting a file, it is wise to ask what the file is before you download or open it.

Ad Insertion

This virus is increasingly common in ad malware, which infects via Javascript based advertisements. This can be difficult to protect against because you do not have to download it to get infected. However, you can install anti-malware software or ensure that your firewall is running before visiting any websites to mitigate risks.

Recognizing the Locky Virus

Locky, Locky Virus, Locky Virus FAQ, How to remove Locky, Locky Decryption,

The Locky Virus installs itself on your computer and then quickly begins encrypting files. These encrypted files will become unintelligible, and the normal file extensions for photos and videos will change from the usual endings like .jpg to “.locky”, “.zepto”, “.odin”, and “.shit”. If you have any of these file extensions on files that appear to be scrambled, the Locky virus has infected your computer. Locky has continued to adopt new extensions as new versions of the virus are produced. To determine if an unknown extension belongs to Locky, simply copy the extension and search for it in your browser as others have likely already discovered its origins.

Locky also leaves other clues, primarily in that it changes your computer wallpaper telling you exactly what to do and how to get your files back. In most cases, you will be directed to download the Tor browser, where you will be driven to a criminally owned website and prompted to pay in Bitcoins (the most prominent cryptocurrency). While the rates vary depending on the computer and the person being hacked, the average price for personal computers is about $400.

To get your files back, you must purchase the Bitcoins and send them to the listed address, which will then generate a decryption key for you. For the most part, Locky virus does decrypt using these keys.

How to Get Rid of the Locky Virus

If your computer has been infected with the Locky virus, you can most likely run an antivirus program or anti-malware software like Malwarebytes or Bitdefender to find and remove the program. However, these programs will not decrypt your files. Locky does not typically inject malware into your encrypted files, so you can usually run your antivirus without risking the loss of your files. While this will not restore your encrypted files, it will prevent any of your additional files from becoming compromised.

About The Author
Proliferate writer, sesquipedalian, techie, Apple fangirl (don't judge),tree hugger, yogi, tea drinker, zombie hunter. Into philotherianism & philomathy. Love my job. Visit me on Google +