Locky is a strain of the ransomware malware family. Discovered in mid-February 2016, this file-encrypting outbreak proved to be sophisticated enough to be undetectable under the radar of common antimalware defenses. It was the product of an organized group of hackers who are proficient in implementing cryptography, pulling a data-locking mechanism that security experts have yet to find a proper response for. The latter had the ability to encrypt over 160 file types when it was first launched. In 2016, Locky represented more than 76% of all malware distributed [1] and within 8 months since the discovery of Locky ransomware, 5 versions of the malware were already out harvesting ransom money.
Scrambled victims’ filenames, turning each one into a string of 32 hexadecimal characters, and added the .locky extension. The filename could be written as “8469F0FE8432F4F84DCC48462F435454.locky” and a ransom note named “_Locky_recover_instructions.txt” was found on the desktop.
The second version was out in early August 2016 and the filenames were renamed into a string of 32 hexadecimal characters just like version 1.0, however, the name contained hyphens, separating the name into blocks and the file extension was now .zepto. The filename is written as “034BDC22-54D4-ABD4-F065-F642E772A851.zepto” and a ransom note named “_HELP_instructions.html.” is placed on the desktop. Furthermore, the background of the desktop is changed to a BM version of the description manual. It had the ability to encrypt files even when the machine was not connected to the internet as the ransomware contained the keys used to encrypt data in its codes.
The offline encryption was abolished in the third version. The filenames extension was now .odin and the ransom note found on the desktop was now renamed as “_HOWDO_text.html”. The installation method was modified; Locky was now being installed via an encrypted DLL installer.
Offline encryption made a comeback in this version and the file extension was now “.shit”. The ransom notes were renamed as “_WHAT_is.html”.
Less than 24 hours after the release of version 4.0, version 5.0 was released. The only difference was that the file extension was renamed from “.shit” to “.thor”. In August 2017, two new variants of the Locky ransomware were detected namely Diablo and Lukitus. They have the extension “.diablo6” and “.Lutikus” respectively. The only difference from the Locky ransomware of 2016 was the way of distributing the malware.
The attack starts when the victim receives a spam email with the malware files attached as .doc, .xls, or zip files. What attackers generally do is to use different names and attachments in every malicious e-mail, in order to dodge detection by security products. The email message contains a subject similar to ATTN: Invoice J-98223146 and a message such as 'Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice'. An example of one of these emails can be seen below.
Save your time!
We can take care of your essay
The files received contain macros that look like scrambled text. An example of one of these attachments can be seen below.
Once the victims enable macros by clicking on the “enable content”, the malicious software is downloaded from an infected website, stored in the %Temp% folder, and starts to execute encrypting the victim’s files. The time between the download and the execution of the malicious code is just a few seconds. The malware usually attacks local drives; fixed, removable, and RAM disks. Network resources are also attacked on some versions. Encrypted files are given a new filename to a unique 16-letter and digit combination with different file extensions such as .diablo6, .locky, .odin, .zepto, .aesir, .thor or .osiris depending on the version of the locky ransomware. The files that are encrypted are now inaccessible to the victim. Locky ransomware searches mostly for files with the following extension to encrypt: .pdf, .rar, .bat, .mpeg, .qcow2, .vmdk .tar.bz2, .djvu, .jpeg, .tiff, .class, .java, .SQLITEDB, .SQLITE3, .lay6, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .potx, .potm, .pptx, .pptm, .xltx, .xltm, .xlsx, .xlsm .asm, .c, .cpp, .h, .png, txt, .cs, .gif, .jpg, .rtf, .xml, .zip, .asc, .xlsb, .dotm, .dotx, .docm, .docx, wallet.dat, etc.
Quality Work
Unlimited Revisions
Affordable Pricing
24/7 Support
Fast Delivery