What is Locky Ransomware?

  • By Greg Brown
  • Jan 20, 2023

locky ransomware

Ransomware is one of the most devastating cyber threats of the modern age. Predators use ransomware as an extreme attack vector with the same goal as centuries-old blackmailing outlaws; extort money.

Ransomware attacks are as old as the internet; the first documented attack happened in 1989 via floppy disks. AIDS Trojan or PC Cyborg Trojan encrypted all the directory names on the C Drive. A Harvard evolutionary biologist developed the malware.

Ransomware has evolved into some of the most dangerous, costly, and debilitating assault vectors in history. Targets include online banking and financial services to government and conglomerate infrastructure. Staggering losses in the billions of dollars have made attacks such as WannaCry and REvil malware household names in cyber security.

Saudi Aramco, the world’s largest gas and oil producer, faced a devastating cyber extortion attack in 2012. The suspected, first known state-sponsored attack cost the oil producer millions of dollars. In a matter of hours, 35 thousand company computers were partially wiped of data, with five thousand machines rendered totally useless. The attack sent Saudi Aramco’s computer network back to the stone age. A single employee opened a phishing email that downloaded the malware and started the assault.

Locky Ransomware

The high-profile Locky malware was first noticed in 2016 and was actively used by the Dridex Gang. By late 2017, Dridex was the 800 lb. gorilla in banking and financial malware. The group quickly realized the tremendous potential of ransomware and is now responsible for significant attacks worldwide.

The original Locky Ransomware code has disappeared. However, variants of the Locky ransomware family have grown in popularity.

Locky is a phishing attack, delivered as an attachment by the MS Office downloader or JavaScript. The core of the Locky malware is a Windows executable file. Once the malware has been deployed, it disappears and runs from a copy attached to the temp folder.

Once the Locky malware begins its assault, each file is encrypted and renamed. The first characters usually contain the name of the victim and then other random numbers and letters. The extension is changed to .locky, typical of a ransomware attack.

Cyber experts continue to analyze encrypted Locky files and find there is complete entropy to the assaults. With no visible patterns, Locky Ransomware is one of the most malicious malware codes to be released to the public. 

Locky adds a few specific entries into the Windows registry, the most significant being the Autorun key. The Windows autorun key gives instructions to the malware to start automatically after reboot.


Locky malware attacks the three types of hard drives: fixed (usually the C drive or any named configuration), removable drives, and ramdisk. After execution, Locky moves laterally through each drive and begins to map and attack any connected networks. 

Infected machines display a ransom note immediately after the execution of the virus. Wallpaper instructions to the owner (prepared in several languages) show how the victim can pay and release their machine. Each Locky wallpaper gives its owner the helplessness of their situation and instructs them to visit a predetermined website.

Instructions demand owners to install the TOR browser. The wallpaper contains a unique ID for each infected machine or network. Once the ransom has been paid, a decryption key is given to the owner. Victims must type in the attack ID and a bitcoin code into a form, after which a decryptor program is sent by email.

Defend Against Locky

what is locky ransomware

Since its inception, Locky has gained notoriety due to the global gang Dridex using that specific malware in most of their attacks. Additional reasons for Locky’s popularity are its comprehensive spread attack features. Once deployed to a user’s machine, Locky can map out and infect a global network within hours. 

After comprehensive inspections of the virus, most cyber experts agree that Locky is a vicious malware code with similar features to other ransomware codes. This commonality means individual users and network admins can use aggressive mitigation techniques already on the board.

Microsoft and its legal team traced the servers of the Locky Ransomware and threatened them with legal action. The company also laid down several actions that network admins and individual users can take to mitigate the virus. 

  • Phishing and spam are the most prevalent ways attackers infect networks with ransomware. Make certain email gateways are protected. It is essential to use endpoint security for detecting and blocking malicious emails. A robust endpoint security solution protects against attachments and infected URLs in emails. Regularly patch network systems and conduct vulnerability assessments.
  • Make it easier for employees and customers to do the right thing in protecting company assets. In the absence of training, employees make poor decisions with their technology. Create common sense policies for every person who has access to company technology. Make sure systems and controls are taught regularly so everyone can do their job effectively. It is advisable to make sure policies are not cumbersome or restrictive.
  • Attackers do not seek out impenetrable firewalls to access company networks. Predators always look for weak points, such as over-trusting or unwitting employees. More employees are working from home with little training made available, and attackers have increased their use of phishing to infect a company’s network. 
  • Implement anti-phishing campaigns to block malicious downloads and websites. Secure web gateways can scan a customer’s web traffic to identify malware ads, leading to a ransomware attack. Identifying threats before they become a significant problem is the key to successfully mitigating ransomware. Most web breaches result from simple failures and a breakdown in planning rather than attacker ingenuity.
  • Implement a Zero Trust security model as soon as possible. Zero Trust is a security framework requiring all users to identify and authenticate themselves before authorization, regardless of whether they are in or outside the network. Users are continually authenticated when on the network to have the ability to access company applications. 

Segmenting the network is the first and one of the most important aspects of a zero-trust security model. Network segmentation breaks the entire network down into smaller manageable parts.

About the Author
IDStrong Logo

Related Articles

How To Make Your IG Account Private

There are occasions when it makes more sense to have a private Instagram (IG) account. You might w ... Read More

Windows 10 Privacy Settings You Should Change Now

Privacy is a buzzword we hear a lot these days in the wake of data breaches, Wikileaks, and other ... Read More

How to Delete Your Facebook Account

It might seem absurd to some people who live on Facebook, deleting your Facebook account. But, man ... Read More

How to Change Network From Public to Private On Windows

Privacy has become a major concern for many of us after reading about all the data breaches, hacki ... Read More

Twitter Security and Privacy Settings Made Simple

With data breaches and ransomware intrusions in the news daily, privacy is the word on everyone&rs ... Read More

Latest Articles

What is PPP Loan Fraud?

What is PPP Loan Fraud?

When the pandemic hit in 2020, our world became chaotic overnight. Throughout the nation, individuals were met with layoffs or stringent checks—pushing the financials of families to their breaking points.

Cementitious Vendor—CGM—Network Compromised by 315k Data Breach

Cementitious Vendor—CGM—Network Compromised by 315k Data Breach

Based in Philadelphia, Pennsylvania, CGM is a nationwide cementitious vendor for industries and construction projects. They are a leader in manufacturing, labeling, and distributing custom cement and patching products.

Chattanooga Heart Institute Updates on 2023 Network Cyber Attack

Chattanooga Heart Institute Updates on 2023 Network Cyber Attack

Patients with cardiovascular issues may appear in one of the Chattanooga Heart Institute (CHI) facilities in Tennessee and Georgia.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Exposure Scan
Instantly and Securely Check if Your Personal Information is Exposed on the Dark Web or Sold by Data Brokers
Please enter first name
Please enter last name
Please select a state
Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address