The return of Locky: a closer look at 2017’s largest malware campaign

The resurgence of Locky ransomware has been described as one of the largest malware campaigns of the second half of 2017, with more than 23 million infected emails sent to the US workforce in just 24 hours on 28 August 2017.

The ransomware encrypts the contents of a computer or server and then demands payment to unlock it. Victims are presented with a ransom note, demanding 0.5 bitcoin (£1,800) to pay for a ‘Locky decryptor’ in order to get their files back.

This isn’t the first time Locky has reared its head in cyberspace. Locky rose to prominence more than a year before the WannaCry outbreak pushed the threat of ransomware into view of the whole world, when the Hollywood Presbyterian Medical Center in Los Angeles became infected in February 2016.

After the infection encrypted systems throughout the facility, locking staff out of computers and electronic records, the hospital paid a ransom of 40 bitcoins – then equivalent to £13,000 – in order to decrypt its data.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this”, Allen Stefanek, president of the Hollywood Presbyterian Medical Center, said at the time.

Locky has since plagued victims around the world, with many seeing no alternative but to pay up.

How does it work?

The ransomware is sent via spam emails with subject lines such as ‘please print’, ‘documents’ and ‘scans’. Inside the email is a zip attachment file, which hides the malware in the form of a visual basic script.

Once clicked, the script downloads the latest version of the Locky ransomware called ‘Lukitus’, which means ‘locked’ in Finnish, and encrypts all the files on the target computer.

Post-encryption, the malware displays a ransomware message on the victim’s desktop that instructs them to download and install Tor browser and visit the attacker’s site for further instructions and payments.

What steps can organisations take to protect themselves?

Ransomware has become one of the biggest threats to organisations, with several widespread ransomware outbreaks occurring in recent months.

Currently there is no decryptor available to decrypt data locked by Locky and its counterparts (WannaCry, NotPetya, LeakerLocker, etc.), meaning that prevention is the cure.

Employees should be trained to take basic steps to protect themselves against phishing attacks, such as being suspicious of uninvited documents sent via an email and never clicking links inside those documents unless they can verify the source.

Organisations should also ensure that antivirus software and systems are updated to protect against the latest threats.

Worried that your staff are clicking malicious links?

Tackle damaging behaviour head-on with our bespoke Security Awareness Programme.