what is locky ransomware and how to protect against it

Locky ransomware was first discovered in January 2016. It has since grown to be a family of ransomware systems

While the original Locky is no longer active, variants are still out there. There is also no guarantee that the original Locky won’t come back. So, there is every reason to research this malware and its variants and install protection measures to prevent it from getting on your system.

The Locky ransomware family attacks Windows systems. Attack campaigns carried out with Locky ransomware are opportunistic and not targeted. The code for the virus is attached to spam emails that are mailed out to lists of hundreds of thousands of email addresses at a time.

The strategy is a numbers game. A percent of the recipients will be interested in the generic text of the email, and a percentage of those people will open the attachment. A subgroup of that number will activate the macros that load the Locky ransomware.

Targets of Locky ransomware

Although Locky’s entry strategy is through mass mailouts, it is possible to tailor that target field by acquiring lists of emails in specific industries. The Healthcare sector has been a massive target for Locky. The Telecom and Transportation sectors are the next biggest targets.

Targeting businesses are more profitable than attacks on private individuals. Large organizations have more money to spare than individuals, and they also have more to lose. While many ransomware charges around $500 for remediation, Locky’s ransom was usually between $4,500 to $10,000, paid in Bitcoin. This is not the very high end of ransom demands; some ransomware demands sums in millions of dollars.

The Necurs botnet

Most email systems now apply spam filters automatically. These are blacklisting systems that spot high-volume mailings from one domain or email address. Spam filters divert identified emails to the Spam/Junk folder or outright block those emails from being downloaded into the client.

The makers of Locky got around this problem by creating a botnet. Both the hacker group and the botnet are called Necurs. A botnet is several private computers that have been infected with a virus. Each device in the botnet is called a “zombie.” The virus periodically opens a connection to a “command and control” server (C&C), which gives them instructions on what to do.

Necurs uses its botnet to send out emails. There are millions of computers in the botnet. Those computers can be big, corporate servers, and so Necurs has a large capacity. Spam filters blacklist source IP addresses and domain names that send out large numbers of emails. By spreading around the task of sending out the emails, Necurs avoids that filter. The source domains given in these emails are usually fake – they don’t need recipients to reply, just open the attachment.

How does Locky ransomware operate?

The same spam email, which is about an unpaid invoice, is sent out to hundreds of thousands of recipients. The email has a Word document as an attachment, and the message of the mail encourages the recipient to open it. The contents of the document are unintelligible – just a jumble of characters. A popup explains that the document has been encrypted and that pressing a button in the popup will decode it.

The button in the document popup activates the macros in the file. These act as a downloader that opens a connection to the C&C server and downloads an installer. With this, the Necurs group has an agent on that computer. The device can be used as part of the botnet or infected with Locky ransomware.

The Locky code isn’t copied over as a file. Instead, it is loaded directly into memory. The installer checks periodically for the running process, and if it can’t find it, it downloads the program and reruns it. This means that the Locky program doesn’t need to be resident on the computer to operate. This defeats one of the standard detection methods of antimalware. However, the installer itself needs to be stored on the computer so that an indicator can be identified. The installer also downloads some .txt and .bmp files for use in the ransom demand.

Locky doesn’t spread. It just starts encrypting files straight away on the computer that it is installed on. The encryption process changes each file name to have an ID made up of 16 characters and contains both numbers and letters. The encrypted file has a different extension. The first version of Locky used the .locky extension. Later version and variants used the following extensions for encrypted files:

  • .zepto
  • .odin
  • .shit
  • .thor
  • .aesir
  • .zzzzz
  • .osiris

The last version of the ransomware emerged in December 2016, using the .osiris extension.

The Locky ransom demand

Locky encrypts files with two ciphers. These are AES encryption with a 128-bit key and RSA encryption with a 2048-bit key. The keys are generated on the Necurs server and sent to the Locky malware. They are also stored with a reference code.

The encryption only affects data files – files containing to identify an indicator text, images, video, or audio. It doesn’t encrypt executable files. This is important because it means you can still use the computer. The hackers want you to pay from that computer, so they don’t want to disable it. The ransomware changes the background of the infected computer’s Desktop to show the ransom demand. This note is also available in a text file copied to the computer.

The instructions tell the victim to install the Tor browser and use it to access the Necurs site. The note also includes a unique ID, referencing the hit and extracting the correct decryption key once the ransom has been paid. The victim has to type the attack ID and the Bitcoin code into a form on the Necurs site. A decryptor with the decryption key embedded in it is then sent by email.

Some ransomware, either through shoddy programming or intentionally, won’t deliver a method of restoring files. Fortunately, Locky does. Those who pay the ransom can regain access to all of their files.

Variants of Locky ransomware

There have been several updates to Locky that changed how the ransomware operated and can be identified by the different extensions used for encrypted files. Apart from programmatic changes made by the Necurs group, there have been two variants in circulation that Necurs didn’t necessarily produce.


PowerLocky is a blend of two ransomware systems: Locky and PowerWare. This encryption-based extortion software is distributed as a .NET executable was written in PowerShell. It demands a ransom of 0.75 Bitcoin, which, at the time that the system was active in July 2016, was worth $500. Today that Bitcoin value converts to $29.600.

Like the original Locky, PowerLocky changes the names of all encrypted files and puts the .locky extension on them. The PowerLocky ransom note is an exact copy of that used by Locky.


Lukitus emerged in August 2017. The Necurs botnet also distributed this strain of Locky as an attachment to a mass email mailout. “Lukitus” is Finnish for “locking.” In the Lukitus campaign, the attachment was a .zip or .rar archive file, and the infecting code was written in JavaScipt or VBScript.

Infected files get the .lukitus extension. After completing its encryption task, the primary executable is removed.

How to protect against Locky ransomware

A heartening piece of news is that thanks to the efforts of Microsoft’s legal team, Locky is no longer a significant threat. Microsoft traced the C&C servers and threatened their hosts with legal action, causing them to remove those accounts in March 2020. Thus, even though the Necurs botnet malware is still resident on millions of computers, the IP addresses hard-coded into them for instructions polling no longer exist. By the time Microsoft plunged in the knife, Necurs had controlled more than 9 million zombie computers.

Despite this good news, you can’t be complacent about Necurs and Locky – they could quite easily return.

The best defense against Locky is to educate users against opening attachments in emails from people that they have never heard of. It is also essential to keep all of your software entirely up to date to shut down exploits and protect your system from all types of malware. You should also implement a backup strategy that copes and stores files from each endpoint separately to avoid cross-infection.

You can buy and install some excellent tools to block Locky and all other brands of ransomware. Here are two that we recommend.

1. CrowdStrike Falcon Insight

CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is a package of cybersecurity tools that includes both on-site and cloud elements. The on-site part of this system is an agent program that is installed on each endpoint. This is a complete endpoint detection and response service, and CrowdStrike also markets it as a standalone package called Falcon Prevent.

Key Features:

  • Two level system
  • Local antivirus
  • Cloud-based coordinator
  • Dual-layer threat hunting
  • Automated responses

Why do we recommend it?

CrowdStrike Falcon Insight is a combination of an on-device antivirus package and a cloud-based SIEM. The AV is called Falcon Prevent and it is available as a standalone product. Each AV uploads activity data to the cloud server for threat hunting. That central unit sends back response instructions.

Falcon Prevent is sufficiently comprehensive that it can continue to protect a device even when isolated from the network and can’t contact the Insight controller in the cloud. The communication between Prevent and Insight uploads activity reports and downloads instructions. The Insight system analyzes activity reports according to the latest threat intelligence. The design looks for anomalous actions rather than specific files. This is the perfect detection method for Locky, which doesn’t drop an executable file on the targeted device. The endpoint agent also carries out that detection method, so Locky doesn’t get a look in.

Remediation actions include isolating the device from the network so infections can’t spread. The system can also command a shutdown of the device, wiping and a restore from backup. While Locky doesn’t rely on user accounts, other ransomware does. Falcon Insight can suspend suspicious user accounts and block access to blacklisted IP addresses and domains.

Falcon Insight is backed by CrowdStrike research labs and event records from other CrowdStrike customers. The coordinating system of Insight can pass threat intelligence to all devices on the network so that as soon as one endpoint is hit, all the others are on the alert.

Who is it recommended for?

The big advantage of this package is that its endpoint agent is able to keep detecting and protecting even if its host is disconnected from the network by a ransomware attack. Isolation can also be a protection strategy to prevent malware from spreading to other endpoints.


  • Excels in hybrid environments (Windows, Linux, Cloud, BYOD, etc)
  • Intuitive admin console makes it easy to get started and is accessible in the cloud
  • Can track and alert anomalous behavior over time, improves the longer it monitors the network
  • Lightweight agents take up little system resources


  • Would benefit from a longer trial period

You can get a 15-day free trial of Falcon Prevent.

2. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus is a protection system for sensitive data. This is particularly useful for those businesses involved in the Healthcare sector, which was a prime target of Locky. Companies following HIPAA need to ensure that all patient data is accessible for appropriate use and does not get disclosed. The same rules apply to PCI DSS and GDPR. Action logging features in the package are suitable for standards compliance auditing.

Key Features:

  • File integrity monitoring
  • User activity tracking
  • Permissions analysis
  • Automated responses

Why do we recommend it?

As its name suggests, ManageEngine Data Security Plus is focused on data protection. The premises of this strategy is that data is the most important asset in your business and it damage or loss is going to ruin your company. The system assumes that you have an AV to spot viruses.

DataSecurity Plus first scours the system and records all of the locations of data stores. It documents these and then scans each store, categorizing the data there. This enables the service to focus protection on sensitive data. The monitor then watches the files that contain that data and prevents them from tampering. The system also monitors emails and USB devices to prevent viruses from getting in and data from getting out.

The file protection system is called a File Integrity Monitor (FIM). This raises an alert when an unauthorized change occurs in a monitored file. So, the first encryption attempt by Locky would trigger a notification.

The system can be set up to implement remediation actions automatically. Examples of those workflows are shutting down an infected endpoint, restoring files from backup, killing processes, and suspending user accounts.

This software installs on Windows Server and protects computers running the Windows operating system – the targets for Locky.

Who is it recommended for?

This system can protect against account takeover and insider threats as well as intrusion. It can also spot the actions of malware, although it doesn’t spend any time detecting the arrival of malicious code. Effectively, this is a last line of defense for data.


  • Provides a detailed account of file access, allowing sysadmin to understand the context of the file change
  • The platform can track access trends over time, allowing for better malicious behavior detection
  • Supports built-in compliance reporting for popular standards such as HIPAA, PCI DSS, and FISMA
  • Can integrate with numerous helpdesk solutions, notification platforms, and backup systems


  • Requires a sizable time investment to fully explore all the platforms features and tools

ManageEngine DataSecurity Plus is available for a 30-day free trial.