The well-known malware strain Locky Ransomware first surfaced in February 2016 and quickly became a popular weapon for attackers. This ransomware encrypts important files on the victim's computer, making them unusable until a ransom is paid. Locky is unique not only in its evil aim but also in its broad reach.

When Locky first appeared, it quickly spread to 18 nations in a single day, and the infection map grew to include 61 countries in the next day. In just one week, Locky had left its imprint on 109 nations on six continents. Interestingly, this virus has extended its digital talons to over 200 nations and all seven continents.

Locky is as dangerous as any other ransomware and uses social engineering to get into your systems. Primarily, locky attacked the healthcare industry. Which doesn't mean it will leave other industries. Therefore, it has become really important for businesses to get one step ahead of these social engineering and malicious techniques and safeguard their businesses.

This article will discuss Locky Ransomware, how it got into systems and asked for ransom, how business can be more aware of social engineering attack and what to do when your system get infected with Locky Ransomware.

Understanding Locky Ransomware Operations

Locky ransomware enters computer systems through various methods. One common way is through spam emails that contain harmful attachments disguised as harmless files, such as .doc, .xls, or .zip files.

A social engineering technique is initiated when the gullible user downloads the malicious attachment, encouraging them to "Enable macro if data encoding is incorrect." This seemingly benign request is a trap since it starts a binary file's execution when macros are enabled.

This binary file installs the encryption Trojan that locks particular file extensions when executed. Files become unreadable, and their filenames change to a random string of characters, making any attempt at recovery much more difficult.

That's not where the infectious process ends. The Locky Ransomware then demands that the user visit a certain website that is harmful, even if the victim is unaware of this, and download the Tor browser. The last blow is the ransom demand, which forces users to pay to unlock their encrypted files.

Root Cause of Locky Ransomware

  • Phishing emails: Malicious email attachments or URLs that appear to be authentic papers or bills are how Locky is distributed. These attachments deceive users into opening them, which can infect them.
  • Malicious Links: Email hyperlinks may also be used to spread Locky, sending visitors to phoney websites hosting the ransomware. These links frequently have a trustworthy appearance, which draws people in.
  • Impersonation Tactics: Attackers may use impersonation techniques or send emails that seem urgent to coerce victims into taking steps that might inadvertently expose them to infection.

Historical Impact and Infamous Locky Attacks

Locky's Quiet Attack: 2016–2018

Locky's quiet and unrelenting assault took place between 2016 and 2018, leaving a path of serious occurrences and unfavourable outcomes in its aftermath. Mainly distributed via extensive phishing efforts, Locky skillfully employed misleading emails with a dangerous payload in Word document attachments.

Healthcare Providers are the Targeted Entities in the Crosshairs

Locky spared no industry, although there was a clear preference for attacking healthcare professionals. The ransomware compromised vital systems and encrypted priceless data, casting a shadow over US, Canada, France, Japan, Korea, and Thailand healthcare facilities. Such assaults on healthcare providers have consequences beyond monetary losses; they also affect patient treatment and the privacy of private medical data.

How Locky Ransomware Attacked US?

Security company AppRiver claims that on a single day in October, an astounding 23 million emails containing Locky were delivered. Between July and October 2016, according to Malwarebytes Labs, Locky was responsible for almost 14% of all ransomware detections globally, with 10% of those cases occurring in the US.

Email is Locky's primary method of quick and affordable delivery. Criminals often rent the infrastructure required to target individuals efficiently. The program sends delivery alerts, invoices, and demands for fast payment, among other seemingly ordinary topics, all posing as something benign.

The Ransom Dilemma: Financial Stress and Bitcoin Payments

Following a Locky outbreak, organisations faced a grave choice: either pay the Bitcoin ransom or risk permanently losing important data. The attackers, who were probably connected to the mysterious Dridex hackers (also known as Evil Corp or TA505) and worked in the shadows, usually sought a ransom between 0.5 and 1 Bitcoin. Combining the immediate financial expense of operating disruptions with the financial pressure arising from these payments gave Locky a tangible financial hardship and a digital menace.

Consequences of Lockey Infection

  •  The malware utilised a sophisticated combination of RSA and AES encryption.
  • Accessible data was transformed into encrypted puzzles.
  • The impact extended beyond temporary file loss to systemic disruption and operational paralysis.
  • Network shares, usually perceived as secure for shared resources, became vulnerable.
  • Locky encrypted files within network shares exacerbate the scale of the havoc.

Preventive Measures Against Locky

As mentioned above, Locky uses social engineering to attack systems. This means that anyone can be tricked easily in any business with many employees. Therefore, organisations need to prevent their organisation before it is too late. Here are some preventive measures against Locky ransomware:

  •  Enable Spam Filters: Use spam filters in your email system to detect and block phishing attempts, a common ransomware delivery method.
  • Exercise Caution with Email Attachments: Avoid opening attachments or clicking on links in emails from untrusted sources. Verify the sender's authenticity before interacting with such content.
  • Regularly Update Software: Keep your operating system and applications up to date to patch vulnerabilities that ransomware may exploit.
  •  Backup Data Regularly: Regularly back up important data to an external source. In case of an attack, you can restore your files without paying the ransom.
  • Educate Employees: Provide cybersecurity awareness training to recognise and avoid potential threats, enhancing the overall security posture.

Responding to a Locky Attack

There are still a lot of changes to getting attacked by locky ransomware, even after prevention methods. Here are the initial steps after locky ransomware infection:

Isolate Infected Systems:

Quickly isolate the infected systems from the network to prevent the ransomware from spreading further. This step helps contain the impact and limits potential damage to other connected devices.

Disconnect from Network Shares:

Sever connections to network shares to prevent Locky from encrypting files in shared repositories. This step is crucial to safeguard critical data stored on network drives.

Identify Patient Zero:

Identify the initial entry point, or "Patient Zero," to understand how the ransomware infiltrated the system. This information is valuable for enhancing security measures and preventing future incidents.

Notify IT Security:

Immediately notify the IT security team or relevant person to initiate a comprehensive investigation. Time is of the essence, and swift collaboration is essential to assess the extent of the compromise.

Recovery and Mitigation Strategies Post-Locky Compromise

Restore from Backups: Verification of Data Backups

Verify the integrity and presence of recent backups. Make sure the ransomware hasn't encrypted or compromised the backup repository.

Data Recovery:

Start the restoration procedure with clean backups. This step is essential to restore encrypted data without giving in to ransom demands.

Reinforced security Controls Patch and Update Systems:

To stop future exploitation, upgrade systems and patch vulnerabilities. System upgrades are essential for strengthening defences against dynamic attacks.

Boost Email Security:

To prevent phishing attempts, fortify email security procedures. Inform users of the risks of opening dubious attachments and turn on sophisticated threat detection systems.

Organise with law enforcement:

Work along with law enforcement to report the occurrence and obtain information. This collaboration advances efforts in cybersecurity by assisting in the detection of cybercriminals.

Internal Communication:

Be open and honest in communicating with staff, clients, and stakeholders. Establishing confidence and preparing all stakeholders for potential repercussions on operations are achieved through timely and accurate information provision.

Obtain and adjust

Post-Incident study: To identify the attack pathways and vulnerabilities used, do a comprehensive post-incident study. Use this knowledge to strengthen defences against similar threats and improve security procedures.

Employee Training:

Give staff continuous cybersecurity training as a top priority. Awareness of the threats is crucial, and knowledgeable employees may serve as the first line of defence against malware infections and phishing scams.

Constant Observation and Modification

Incorporate streams of threat intelligence to remain current on new threats and weaknesses. By implementing proactive monitoring, organisations can modify their security posture in response to changing cyber threats.

Frequent Simulated Assaults:

To assess the efficacy of security measures, perform penetration tests or simulated assaults frequently. This proactive strategy aids in locating gaps and improving defences.

It takes a mix of quick thinking, thorough recovery plans, and continuous adaptive security measures to counter a Locky assault. By implementing these practices into cybersecurity processes, organisations can enhance their ability to withstand the persistent threat of ransomware.


The fight against ransomware is constant, as data is an organisation's lifeblood. A strong cybersecurity posture results from frequent system updates, stringent email security guidelines, and mock assaults. Organisations may defend themselves against the always-changing threat of Locky and its ilk by being educated, modifying defences, and cultivating a cybersecurity-aware culture.

In addition to being a look back, this book is a call to action that asks us to strengthen our digital environments and work together to overcome the many obstacles that Locky Ransomware presents. We can create a more secure digital future by being informed, alert, and taking preventative action.

Get automated cyber security with Tata Communication and cyber threats.

Subscribe to get our best content in your inbox

Thank you