Connect with us

Hi, what are you looking for?



“Locky” Ransomware Encrypts Unmapped Network Shares

Security researchers have discovered a new piece of ransomware called Locky, which uses AES encryption algorithm to encrypt both local files and files on network shares, even if they are unmapped.

Security researchers have discovered a new piece of ransomware called Locky, which uses AES encryption algorithm to encrypt both local files and files on network shares, even if they are unmapped.

Locky is the second ransomware observed in the past few weeks to encrypting data on unmapped network shares, which suggests that other malicious programs might follow suit, especially since cybercriminals tend to inspire themselves from existing code when building new malware, as was the case with Hidden Tear, the so-called educational ransomware.

In fact, Locky employs techniques already observed in other ransomware, namely the fact that it completely changes the filenames for encrypted files to make it more difficult to restore data, a feature previously observed in CryptoWall.

The new piece of malware is being distributed via fake invoice emails that contain Word document attachments with malicious macros. When the user enables macros to view the content of the document, the Locky ransomware is downloaded from a remote server and executed, and it immediately begins encrypting files on the compromised system.

When started, Locky creates and assigns a unique 16 hexadecimal number to the victim’s computers, when will scan all drives and unmapped network shares for files to encrypt. The malware uses the AES encryption algorithm and targets only file extensions matching a certain criteria, BleepingComputer notes in a blog post.

The malware will skip files that contain the following strings in their full pathname and filename: tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, and Windows.

All encrypted files are automatically renamed to [unique_id][identifier].locky, with the unique ID and other information also embedded at the end of the encrypted file. Additionally, the malware will delete all of the Shadow Volume Copies on the machine, to prevent victims from using these to restore their files.

Advertisement. Scroll to continue reading.

The malicious program places a ransom note called _Locky_recover_instructions.txt in each folder where it encrypts files, providing victims with info on what happened to their files and with links to the decrypter page. Additionally, the ransomware changes the desktop wallpaper to a .bmp image that contains the same instructions as the text ransom notes, and asks users to pay 0.5 bitcoins to recover their files.

Locky also stores various information in the registry, including the unique ID assigned to the victim, the RSA public key, the text in the ransom notes, and details on whether it finished encrypting the computer. The Locky Decrypter Page shows information on how to purchase bitcoins to pay the ransom, and provides victims with a decrypter when payment is sent to the assigned bitcoin address.

Related: Malware Developers Blackmail Creator of Open-Source Ransomware

Related: Encryption Flaw Used to Crack Cryptear Ransomware

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...