Locky Ransomware Virus

30/03/2016 10:30:03


Locky ransomware virus often spreads via emails and malicious links to Trojans. Once the file infected with the Locky virus is downloaded, it runs automatically and deletes the ransomware sample to evade anti-virus detection. Then, the Locky virus leverages Internet access permission to connect to the C&C server controlled by a hacker in order to upload information from infected endpoint devices and download a private key from the C&C server, which will be written into the registry. Therefore, files in all local disk drives will be traversed and encrypted, and texts will be presented in desktop to tell victims to pay the ransom (using BitCoins in most cases).

Locky Virus Analysis
After study on Locky viruses spreading via Emails, Sangfor security team found that the malicious email attachment is actually a JavaScript file. Because the file is highly obfuscated, it is hard to know the file contents directly. Part of the decoded JavaScript file is as shown below:

It then encrypts various files and uses the command Vssadmin.exe Delete Shadows /All/Quiet to delete all file shadow volume copies and prevent victims from restoring data.

To decrypt the file encrypted by much more complex ransomware virus, you have no other solutions, except for paying BitCoins. Likewise, there are no other ways to decrypt the files encrypted by the latest Locky virus. What we can do is to prevent more endpoint devices from being infected with ransomware viruses. Below are our recommendations:

1. Do not open attachments of emails from suspicious senders.

2. Do not enable macro in Office files. 

3. Download applications from official websites and do not use double-click to open files with the following extensions: js and vbs, etc.

4. Update Sangfor NGAF anti-virus and malware signature databases to the latest versions.

5. Update enterprise-level antivirus software to the latest version.

6. Regularly back up critical data and files to another endpoint device. In case that Locky virus infection occurs, data and files can be restored from the backup.

Our Social Networks

Global Service Center: