Locky ransomware is back! Why is it that for the past few weeks, most of my blogs have been about ransomware, security, malware attacks, etc? It’s really getting out of control! The locky ransomware attack has reared it’s ugly head again. It was prominent for a while, went away, and is back with a vengeance.

What is Locky Ransomware?

Originally released in 2016, the Locky ransomware is one of the most destructive types of malware. It’s developers are trying to spread this malicious software through the Necurs botnet, which has proven o be quite effective itself. The Necurs botnet has been used successfully in distributing the Dridex banking Trojan over the past few months. Now that criminals are using the same strategy for ransomware, it is impossible to tell how things will evolve moving forward. Now is a good time to be even more cautious than ever when it comes to opening emails from unknown senders. The Necurs botnet has been widely appreciated by criminals as of late, as it has been used for pump-and-dump stock plays, work-from-home scams, and even Russian dating advertisements.

Detecting Locky Ransomware

The most commonly reported mechanism of infection involves receiving an email with a Microsoft Word document attachment that contains the code. The document is gibberish, and prompts the user to enable
macros to view the document. Enabling macros and opening the document launch the Locky virus.[ Once the virus is launched, it loads into the memory of the users system, encrypts documents as hash.locky files, installs .bmp and .txt files, and can encrypt network files that the user has access to. This has been a different route than most ransomware since it uses macros and attachments to spread rather than being installed by a Trojan or using a previous exploit.

The Locky Ransomware virus is what hit the Hollywood Presbyterian Medical Center in February of 2016. They ended up paying $17,000 bitcoin for the decryption key. The hospital was infected by the delivery of an email attachment disguised as a Microsoft Word invoice. Be VERY careful what you open!


Tier3MD is a Medical IT support group.