A Guide to Locky Malware

There seems to be no end to the cyber-security threats businesses face today, and one of these threats that you need to be aware of is Locky malware. Although Locky sounds like ‘lucky’, it is far from it. The Locky virus is a form of ransomware, and it gets its name because it will rename all of your vital files, causing them to have the extension ‘.Locky’. Of course, your files don’t simply get a new name: they are scrambled, and the hacker is the only person with the decryption key. Most decryption keys are sold on the dark web, with prices in the hundreds. Below, we will tell you everything you need to know about it.

How do you receive the Locky virus?

The Locky virus will often infect a computer due to a person opening a Word document, which they have been sent via email. This document will entice you to follow some instructions that will put your files at risk. Let’s go through a typical scenario…

It all begins when you receive an email that has a document attached to it. You open the document, and it looks like absolute nonsense – just a bunch of symbols, letters, and numbers.

At the top of the Word document, you will see a security warning, which will tell you that macros have been disabled. In the Word document, the hacker will have typed a message in red that says something along the lines of ‘enable the macro if the data encoding is incorrect’. They are trying to make you click on this security message and enable macros so you can ‘correct the text encoding.’

However, you won’t be correcting the text encoding at all. Instead, you end up running a code that is stored inside the document. This code will save a file to your disk and run it. This saved file acts as a downloader, installing the Locky virus onto your computer.

Uh oh, now what?

Locky will now scramble all of your files that correspond with a wide range of extensions, including Office files, source code, images, videos, and even your Bitcoin wallet file. The ransomware will not only scramble your C: drive, but it scrambles any files that are on any mounted drive in any directory. In most cases, you will see a message that will give you links to the decryption code on the dark web, and you will need to pay to get your files back.

Protecting yourself from the threat of this type of malware is essential. Make sure that you are aware of the damage Locky can cause, you need to stress to your employees the importance of not opening attachments they don’t recognise, and that it’s vital NOT to enable macros on documents they don’t know and trust.

If you’ve been infected we can help.  Fill in our form or send Howard Coates an email at hjc@coatesconsulting.co.uk.