Locky Ransomware

I bet, all of you would have come across phishing email with MS-Word or MS-Excel as an attachment. The content of the document will be gibberish prompting you to enable the macros included in the attached document. This technique was used by Locky Ransomware to make a way to our computers. We will discuss the same in this post. The below Google Trend shows the prevalence of it as we can still see people searching about it. Let’s dive deep and understand the subject. There are modified variants of Locky present in the wild (internet) currently.

Source: Google Trend

Locky ransomware outbroke in early months of 2016 with California based hospital as one of the first victims. The ransom of $16700 was paid by the administration to recover the systems citing the urgency of equipment. To better understand the basics of Locky, we can refer the cyber kill chain, which talks about different stages involved in a cyber attack. The below snapshot depicts different stages of the Cyber Kill process.


We will try to align the stages involved in Locky ransomware to the cyber kill chain as it will help us to understand the subject more clearly.

  • Since Locky doesn’t exploit any OS/Application level vulnerability, the reconnaissance phase is not required specifically.
  • The deliverable payload is developed either as macro functions or compressed JavaScript functions.
    • macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically.
    • JavaScript is an object-oriented computer programming language commonly used to create interactive effects within web browsers.
  •  The propagation of code takes place through email campaigns. It will be included in the attachment. The subject will be so convincing that it will prompt a user to open the attachment. Locky doesn’t have any self-propagating capability like  WannaCry.
  • Once attachment or script is executed, a 32-bit payload is executed. After deploying, executable disappears after running dropped copy with svchost.exe. 
    • Svchost.exe is a generic host process name for Windows services that run from dynamic-link libraries (.dll files).
      • It is a file format used to hold multiple code and procedures for Windows programs.
  • After the process has started, it initiates the encryption of files. It targets fixed, removable as well as RAM drives while enumerating the drives associated with the target machine. It also attacks the network files which can be accessed by the logged in users privileges. The file name is changed in a fixed pattern. First 16 characters are the victim id, followed with file unique id and with .locky as the extension. There have been new extensions also associated like .thor, .shit, .zepto, .odin etc. It also installs text/bitmap forms which appear as desktop wallpapers. The text is localized as detected in the system. The registry key is created in autorun to ensure the process starts as soon as system resumes after restart or shutdown.
Source: Google Images
  • For talking to the command center, HTTP protocol is used as the communication portal.
  • Once the files are encrypted and desktop wallpaper changes to the above snapshot, users are demanded to pay ransom in bitcoins. There is no assurance that files will be decrypted after the ransom payment. RSA-2048 and AES-128 algorithms are used for the encryption process.
    • RSA-2048 is used to encrypt randomly generated AES-128 key assigned to each file to ensure the confidentiality and integrity.
      • AES(Advanced Encryption Standard) is symmetric key encryption mechanism where both parties have the same key. The key used for encrypting has to be used for decryption also. It is one of the strongest encryption algorithms with 128 as the symmetric key size.
      • RSA is an asymmetric algorithm which works on 2 different key i.e. Public & Private key concepts. The public key is available to everyone and the file is encrypted using the same. To decrypt the file, you need to have the private key which is possessed by key owner only. Thus making the whole encryption process robust. It addresses the inherent problem of key sharing in symmetric algorithms. RSA doesn’t require to share the secret key. 2048 is the key size.

After understanding the ransomware and its impact, we can think about how to protect ourselves from such attacks. It is always advisable and should be strongly followed while opening emails from unsolicited sources. The emails coming from irrelevant sources or with irrelevant content, make sure you don’t open MS Word/ MS- Excel or compressed files. These are phishing attempts where attackers try to deceive you with the content or subject or attachment name. Please keep Anti-virus/ Anti-Malware solutions always up-to-date.

Locky has not gone out of the wild. It is coming back after short of vacation every time, becoming more powerful and dreadful. The ransom demanded is in the range of 0.5 – 1 Bitcoin (2.4 Lakhs – 4.8 Laks INR or $3.2K- $6.4K). We can save this huge amount of money by acting smart and being vigilant from falling prey to these ransom attacks.

Plagiarism Score: 5% Calculated from SmallSEOTools

Up ↑

%d bloggers like this: