What is Locky?

Locky is a lesser known piece of ransomware that was first released back in 2016. After going quiet for a while, it had quite a resurgence in 2017. Although it may not have grabbed headlines in the way that WannaCry and NotPetya did, Locky is a good example of malware to look at because of the way in which it spreads. It is entirely preventable – as long as email users are armed with some basic knowledge to keep themselves secure online.

Because it’s a relatively long process, running through the stages of a Locky infection is a great way to highlight behaviours that should be adopted or avoided at all levels of an organisation, in order to steer clear of similar ransomware infections.

Stage one: Email received

What happens: Locky gets on to your system via an email attachment, usually a Word document purporting to be an invoice or other important correspondence. Of course, in order to open an email attachment you first need to receive the email!

Behaviour to adopt: This is one for the system administrators. Anti-spam solutions should be deployed as a way of stopping emails reaching a user’s inbox if they’re not from trusted senders and/or contain dubious attachments.

Stage two: Email opened

What happens: Email from an unknown address is opened. The email usually contains a short message with words to the effect of “Here is the invoice you requested; please review”.

Behaviour to adopt:  Users should double check the sender of an email before opening up any attachments. This can be done by hovering over the sender’s name in your inbox. Do you know the email address? Try searching it in a search engine to see if other users have come across the same issue.

Stage three: Attachment opened

What happens: In this case, opening the document itself – though we definitely advise against opening any unexpected document from an unknown source – doesn’t cause any direct damage. The document will just contain nonsense: scrambled characters and symbols. However, do remember that many other types of malware are spread simply by downloading an attachment.

Behaviour to adopt: Were you expecting to receive an attachment? You’re probably familiar with suppliers who may send an invoice, but if you’re not, ask a colleague who can advise before your proceed.

Stage four: Macros are enabled

What happens: Crucially, the document will contain a message encouraging the user to “enable macros if data encoding is incorrect”. Faced with a jumbled up mass of characters, the user may enable macros in an attempt to “decode” the message. Once macros are enabled, the mail client will automatically save a file which runs and downloads a Trojan onto the user’s system. If you don’t already have macros disabled, your probably should. Find out how to do that here.

Behaviour to adopt: Be suspicious and take your time. If a genuine supplier had intended to send an invoice but accidentally sent a file full of mumbo-jumbo, they couldn’t complain about late payment. If you think the document was sent from a genuine source, pick up the phone and let them know that they’ve sent a strange document; they can always re-issue an invoice if necessary. If you’re not sure who sent the attachment, just delete the message. Don’t let curiosity get the better of you!

Stage five: Encryption of files

What happens: The Trojan will gradually encrypt important files. After the encryption is complete, they will be unavailable to the user.

Behaviour to adopt: The Locky ransomware can be stopped from properly initialising by disabling macros in Word.  This also helps defend against other macro-download threats.

Stage six: Ransom demand

What happens:  The user receives a prompt on the screen demanding a ransom for their encrypted data. Locky will then provide a guide on how to pay this ransom with Bitcoin, via a specific browser and webpage.

Behaviour to adopt: It is not recommended that you pay the ransom. At best, you’ll get your data back and fund future attacks (possibly against your business again!) and at worst, you won’t get your data back, will fund future attacks and cause yourself potential reputational damage by executing a “cover up”. If your company has become a victim of this ransomware, the only secure way to reverse the damage would be to restore a backup of all of the data from before Locky infected the system. Ensure that backups are run frequently and saved securely.

This example of malware infection demonstrates that very simple steps can help you and your colleagues avoid inadvertently downloading malware. You don’t need an in-depth knowledge of cyber security to be able to carry them out and in many cases, taking a short pause to think before acting is enough to prevent a costly disaster.