Locky is ransomware malware released in 2016.Superly active in 2017, It is delivered by email (that was allegedly an invoice requiring payment) with an attached Microsoft Word document that contains malicious macros. [1] When the user opens the document, it appears to be full of garbage, and it includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, the macros then save and run a binary file that downloads the actual encryption trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination with the .locky file extension. After encryption, a message (displayed on the user's desktop) instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information. The Web site contain instructions that demand a payment of between 0.5 and 1 bitcoin (one bitcoin varies in value between 500-1000 Euros via a bitcoin exchange). Since the criminals possess the private key and the remote servers are controlled by them, the victims are motivated to pay to decrypt their files.[2][3]


Locky encrypts files on victims’ computers and adds a .locky file extension to them. The ransom demand varies between 0.5 to 1 bitcoin (approximately US$210 to $420 or 500-1000 Euros).


The most common way that Locky arrives to your devices is as follows:

Phishing E-Mail 

  • Phishing is a continual threat, and the risk is even larger in E-Commerce & social media such as Amazon, Flipkart, Facebook, Twitter, YouTube and Google+. Hackers could create a clone of a website and tell you to enter personal information, which is then emailed to them. Hackers commonly take advantage of these sites to attack people using them at their workplace, homes, or in public in order to take personal and security information that can affect the user or company (if in a workplace environment). 
Just Say No—To Suspicious Emails and Links 

  • The primary method of infecting victims with ransomware involves every hacker’s favorite bait—the “spray-‘n’-pray” phishing attack, which involves spamming you with emails that carry a malicious attachment or instruct you to click on a URL where malware surreptitiously crawls into your machine. 
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source or person, do not enable macros and instead immediately delete the email. 
  • You receive an email containing an attached document (Troj/DocDl-BCF). 
  • The document looks like gobbledegook. 
  • The document advises you to enable macros “if the data encoding is incorrect.”
  • If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it. 
  • The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the crooks. 
  • The final payload could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW).

Once Locky is ready to hit you up for the ransom, it makes sure you see the following message by changing your desktop wallpaper:

Just Say No—To Suspicious Emails and Links:

The primary method of infecting victims with ransomware involves every hacker’s favourite bait— the “spray-‘n’-pray” phishing attack, which involves spamming you with emails that carry a malicious attachment or instruct you to click on a URL where malware surreptitiously crawls into your machine. 

Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source or person, do not enable macros and instead immediately delete the email.

If you suspect your system is Infected what is Next? 

Disconnect from WiFi or unplug from the network immediately and inform Mr. Pavan @ 8494926859 or [email protected] / [email protected] Mr. Batheiah sir @ 8494926847 or[email protected]

References :