Chapter 8. Locky

Before it was shut down, CryptoWall was, by far, the most effective ransomware family in terms of successful infections. However, the team behind Locky has attempted to infect many more victims. Locky first surfaced in February 2016 and was named Locky because the encrypted files all had the extension .locky appended to them. Traditionally, Locky has been delivered through spam campaigns. There are three spam methods that the team behind Locky has successfully used:

• An embedded macro in a Microsoft Office document
• A Windows batch script, also embedded in a Microsoft Office document, that executes and downloads the ransomware
• A compressed .zip or .rar file containing a malicious JavaScript file that downloads and runs Locky

Locky has also been delivered via visits to malicious websites and legitimate websites that have fallen victim to malvertising campaigns, using the Rig exploit kit and taking advantage of flaws in Adobe Flash.

Unlike some of the other ransomware families, the decryption for Locky has not been broken. There also have not been any weaknesses found in the Locky encryption process that might allow files to be recovered. A system that has been infected with Locky will either need to be restored from backup or the ransom will need to be paid (alternatively, the system can simply be wiped and the end users can start fresh with all data gone).

Locky also uses an affiliate program that allows less-skilled attackers to take advantage of the Locky infrastructure ...