Locky Ransomware Encrypts Local Files and Unmapped Network Shares

Security concept

As if the earlier ones weren’t enough nuisances to deal with, a new version of Ransomware has been unearthed in the last few days. Going by the name of “Locky”, this Ransomware takes help of AES encryption to encrypt the important files from your device.

After holding those files for ransom, Locky demands 0.5 bitcoins to give them back to you in their earlier shape. As long as you don’t give Rocky what it demands, it won’t decrypt the files.

Although the name Locky sounds childish, the transportation and working mechanism of this Ransomware are anything but. It targets vast types of files the most potent weapon of which is its ability to encrypt data on unmapped networks.

While this encryption of data on unmapped networks wasn’t common, it was the DMA Locker who introduced this concept in modern Ransomware. Thus, now that Locky has reused the same technology – but with advanced effects, it is safe to assume that this method will be integrated into every upcoming Ransomware from now on.

Looking at its functionality and it has to be said that Locky has lent most of its habits from previous Malware. After adopting encryption from DMA Locker, Rocky uses CryptoWall’s technique of completely changing the file names. As a result, even when the virus won’t be fully functional, it would become virtually impossible for the user to restore it without decrypting the file through paying the ransom.

Locky has used Fake Invoices for its spread

“Please see the attached Invoice”. This will be the message that would be listed in the email which would contain the Locky Virus. Along with the email, there would be a Word document which, upon execution, will transfer the Locky file to the device.

After you have clicked on the file, it would download the Macro in the “%Temp%” Folder before execution. After that, it will only be a matter of minutes before Locky Ransomware infects your computers.

How Locky Changes the Names of the files that it encrypts

After the Ransomware gets executed on your computer, Locky will prescribe your device a 16-digit code. It will then scan all the computer along with the unmapped Network shares. The purpose of this thorough scanning is to find out the files which Locky can encrypt. During encryption, it will take into account the AES encryption algorithm. Using this algorithm has an advantage as it will only encrypt those files who match the extensions of Locky.

Looking at its functionality and one thing that we could gauge is that Locky does skip some files. Those files that circumvent the attack of Locky have the following extensions i.e. x86, Program Files, temp, thumbs.db.

One thing that should be stressed here is the ability of Locky to encrypt files from uncharted network shares. While the normal Ransomware would only encrypt those files that are mapped to a local drive, this Ransomware would encrypt those as well are aren’t diagramed to a local drive. This is another technique which is burgeoning in the last few months and it is expected that this method will be seen more in the upcoming Ransomware.

While the ancient Ransomware had its shortcoming as it allowed in some cases the shadow volume copies – which can be used to restore the encrypted files, Locky deletes them as well. Thus, there is no way for the victim but to pay in order to get back his/her valuable files.

Leaving behind its traces, some notes will be created in every folder from where the files were encrypted. These notes are known as ransom notes. As evident from their names, the Ransom notes would tell the victim the method of payment.

How the Locky Decrypter Page Looks like

As evident from its name, the Locky “Decrypter” Page will let the user decrypt the files which were encrypted by Locky in the first place. However, before doing that, it would demand ransom.

The homepage of Locky Ransomware will comprise the instructions of payment. It provides further “facility” to the victims by telling them how to purchase bitcoins, the amount of Ransom and the address where they should send it afterwards.

After sending the ransom to the specified address as given by the Locky Decrypter page, this page will give the user a decrypter with which they can decrypt their files.

How to get rid of .locky File extension

Even though the aforementioned discussion might give you a tough picture of Locky virus, downloading the .locky virus remover from nabzsoftware.com would save you from this nuisance. Here is a reputable security suite that allows the complete removal of the entire Ransomware in just a single click.

After you have removed the mother of all evils i.e. Locky Ransomware, now you could turn to the data recovery part since removing the Ransomware without recovering data is useless.