Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!


From Malware Wiki
Jump to: navigation, search
DateFebruary 2016
Programming LanguageC++
PlatformMicrosoft Windows
File TypeWin32 PE executable (.EXE)
Impact5,000,000 computers
Damage costs$12 million
This box: view  talk  edit

Locky is a ransomware email worm and macro trojan virus program on Microsoft Windows.

It is reported to have done 4000 new infections per hour and approximately 100,000 infections per day with most of the infections happening in Germany and the Netherlands.



Locky is distributed through emails that pretend to be invoices or via exploit kits on hacked sites. These invoices will have a subject similar to ATTN: Invoice J-12155976 or FW: Invoice and have an attached malicious word document or zip file containing a javascript installer. These attachments will have file names like Invoice J-12155976.doc or 138AD_scan_invoice_45E288.zip.

When the user double-clicks on the word document and enable macros or execute the javascript file, it will download the Locky ransomware executable and begin the encryption process.

Locky can also infect the user's computer when they visit a hacked site that has an exploit kit on it. These exploit kits will scan their computer for vulnerable programs and attempt to exploit them to install and start the ransomware without their knowledge.


When opened, the Document file gets downloaded into the system and that its content is garbled along with a prompt that states "enable macros". Once the macros are enabled, the user would download an executable from a remote server and run it from there.

When Locky is first installed it will check to see if the computer is using the Russian language, and if it is, will not encrypt the computer. Otherwise, it will connect to a remote Command & Control server that is under the Locky developer's control and send it the ID associated with the victim's infection. This ID is generated by taking the first 16 characters of a MD5 hash of the GUID for the storage volume that Windows is installed on. Once it sends the ID, Locky will respond with an RSA key that will be used during the encryption process.

Locky will then create a Windows registry key that it will use to store configuration information. This registry key is located at HKCU\Software\[random]. 

Locky will now scan the computer's local, removable, mapped drives, and unmapped network shares for file types that it targets for encryption. The extensions targeted by Locky are:

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, 
.wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, 
.tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, 
.jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, 
.dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, 
.dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), 
.sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, 
.potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, 
.xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, 
.ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, 
.pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat

When a file is encrypted it will generate a new AES encryption key and encrypt the file with it. This AES encryption key is then further encrypted by the RSA key that was retrieved from the Command & Control server. This RSA encrypted AES key is then stored in the encrypted file.

When a file is encrypted it will be renamed to different formats depending on the version of Locky. Many of these extensions are named after gods from Norse and Egyption mythology. The original extension used by encrypted files is .locky.

Locky will scan all drive letters on the user's computer including removable drives, network shares, and even DropBox mappings. In summary, if there is a drive letter on the user's computer it will be scanned for data files to encrypt by the ransomware

When the infection has finished scanning the user's computer it attempts to delete all of the Shadow Volume Copies that are on the affected computer. It does this so that the user cannot use the shadow volume copies to restore their encrypted files. The command that is run to clear the Shadow Volumes is:

vssadmin.exe Delete Shadows /All /Quiet

Now that the computer's data has been encrypted, it will display the %UserProfile%\Desktop\_HELP_instructions.html ransom note. An example text of the ransom note is:



All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:

Decrypting of your files is only possible with the private key and decrypt program, which is on our 
secret server.
To receive your private key follow one of the links:
1. http://25z5g623wpqpdwis.tor2web.org/F61242A1A24B711E
2. http://25z5g623wpqpdwis.onion.to/F61242A1A24B711E
3. http://25z5g623wpqpdwis.onion.cab/F61242A1A24B711E

If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: 25z5g623wpqpdwis.onion/F61242A1A24B711E
4. Follow the instructions on the site.

!!! Your personal identification ID: F61242A1A24B711E !!!


Locky will also change the wallpaper. From there, it will ask for a payment of between 0.5 and 2 Bitcoins ($208 to $800 roughly) in order to receive the decryption key.

An antivirus that is able to delete ransomware can remove this virus.


  • Locky Decryptor: Also known as Locky decrypt tool is a variant that pretends to be a decryptor. The price of this decrypter starts from 0.5 Bitcoins (which is equal to 225 dollars but may vary depending on the case.
  • AutoLocky: It is a variant which is not as dangerous as the original. Its executive file spreads via spam emails and, once the victim opens it, virus encrypts files and asks for a ransom (0.75 Bitcoin, so approximately 325 dollars). It uses Locky's name to look scary; however, it is not as dangerous as the real version of the malware. AutoLocky ransomware is written in AutoIt language, so it is not as complicated as Locky, which is written in C++ programming language.
  • Bart: It is a variant that adds them to individual ZIP archives and protect them with a password. It has its own entry.
  • Bart v2.0: It is a improved version of Bart. After infecting the system, it encrypts records using RSA4096 encryption and adds .bart2.zip file extensions to them. The virus demands roughly 1800 USD in exchange for the Bart2 Decryptor.
  • Zepto: It is a variant that was discovered in June 2016. It was released right after Bart ransomware, and it spreads via malicious email campaigns. This computer threat encrypts data using both AES-128 and RSA-2048 ciphers, making it nearly impossible to crack the virus and create a free decryption tool.
  • ODIN: It is a variant that appends the .odin extension to files. The virus commands the victim to go to the ODIN payment page, which suggests buying Locky Decrypter.
  • Shit: It is a variant that showed up in the beginning of October and shook the entire community with its name. Once it infects the target computer, it uses Rundll32.exe to start its work and drops _WHAT_is.html, _[random numbers]_WHAT_is.html, and _WHAT_is.bmp files to inform its victim about the computer's state. Beware that this malware targets over 380 file extensions, including docx, .xml, .txt, .pdf, .xls, .odt, .key, wallet.dat and others.
  • Thor is a variant that was detected at the same time Shit was detected. This new version adds .thor file extensions to each encrypted file and also distorts the original filename to make the files unrecognizable. It also leaves _WHAT_is.html ransom note and a .bmp version of it on computer's desktop. This particular ransomware version demands a slightly smaller payment – more or less half a Bitcoin.
  • Hucky: Also known as Hungarian Locky, is a variant that has a ransom note and desktop picture in Hungarian. Typical Locky file recovery instructions appear as _Adatok_visszaallitasahoz_utasitasok.txt and feature Hungarian data retrieval information as well. Hucky ads the old ".locky" extensions to all of the encrypted files.
  • Aesir: It is a variant that was discovered at the end of November 2016. The name associates with Norse mythology. Following a successful data encryption using RSA and AES ciphers, Aesir appends .aesir file extensions to encrypted data. Aesir uses new C2 servers and is reportedly distributed via the malicious Facebook spam campaign that is based on bogus message attachment that ostensibly is a Photo_[random chars].svg file. Once the victim clicks to open it, a hidden JavaScript code gets activated, and it redirects the victim to a phishing website, which asks to install a browser add-on in order to view a video. If the user installs it, the malicious extension downloads Nemucod Trojan downloader and sends out the malicious .svg file to all victim's Facebook friends via FB Messenger. As a result, the victim unwillingly delivers the malicious file to all friends and receives a Trojan that connects to the online server and downloads Aesir to the computer.
  • Osiris: It is a variant that was discovered on December 4th, 2016. It spreads around in the form of an obfuscated .zip archive that features a .vbs file. Malicious emails that deliver the malicious program reportedly named "Photo/Document/Archive from office." After encoding all victim's files, the malicious program appends .osiris file extension next to the original file name and drops a ransom note called OSIRIS-[4 symbols].html in every folder that holds encrypted records. Just like previous versions, Osiris virus uses an uncrackable encryption method and obfuscation layers to prevent malware researchers from finding an antidote for it.
  • Diablo6: It is a variant that encodes files with RSA-2048 and AES-128 and appends .diablo6 extension to filenames. Consequently, the content of files becomes unreadable. The virus is currently being pushed via two massive malspam campaigns. The virus arrives in a ZIP file that contains a VBS downloader. Once executed, the VBScript connects to one of the malicious URLs and downloads the ransomware to the computer. The VBS file is also responsible for launching the ransomware. Another malspam campaign pushes PDF attachments with embedded .DOCM files that contain a malicious Macros script. Once executed, the compromised document downloads malware from an infectious domain and runs it on the target computer. The virus renames original file names using victim's ID and random characters in such way: [eight first characters of the victim's ID]-[next four characters of the ID]-next four characters of the ID]-[four random characters]-[twelve random characters].diablo6. Following a successful encryption, the ransomware creates diablo.htm (the ransom note) and diablo.bmp (it sets this image as desktop's wallpaper). The ransom note commands the victim to install Tor browser and access a website that contains data recovery instructions. The .onion website states that the victim has to pay 0.5 Bitcoin to restore encrypted data.
  • Lukitus: It is a variant that was used in cyber attacks starting from mid-August to 18th of September. The malware dropped lukitus.html and lukitus.bmp files to explain to the victim how to transfer money to extortionists and collect the decryption software that supposedly can recover lukitus files. Lukitus was actively distributed via the Blank Slate campaign that was also used to push Cerber, GlobeImposter and Gryphon.