Ransom.Locky

Short bio

The Locky ransomware was first discovered at the beginning of 2016 and immediately became one of the major threats in the wild.

It is distributed through the use of both exploit kits and malspam. The Neutrino, RIG, and Nuclear exploit kits have all distributed Locky sporadically in the past.

Currently, the Necurs botnet is the main perpetrator behind the malspam resulting in Locky infections, usually as a result of a malicious Microsoft Office file or a ZIP attachment containing a malicious script.

Ransom file extensions

.locky Feb-16
.zepto Jun-16
.odin Sep-16
.shit Oct-16
.thor Oct-16
.aesir Nov-16
.zzzzz Nov-16
.osiris Dec-16
.loptr May-17
.diablo6 Aug-17
.ykcol Sep-17
.asasin Oct-17

Ransom note files

  • _Locky_recover_instructions.txt
  • HELP_Recover_Files_.html
  • _HELP_instructions.html
  • DesktopOSIRIS.htm
  • diablo6-{random characters}.htm
  • ykcol-{random characters}.htm
  • asasin-{random characters}.htm

Remediation

Malwarebytes users are protected against the Locky ransomware, thanks to our multi-layer defense.

Screenshots

Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language