Locky

Locky

Aliases	Ransom:Win32/Locky.A (Microsoft) Trojan.Encoder.3976 (Dr.Web) Win32/Filecoder.Locky.A (ESET) Malicious_Behavior.VEX.99 (Fortinet) Trojan.Win32.Filecoder (Ikarus) Trojan-Ransom.Win32.Locky.d (Kaspersky Lab) Trojan.Cryptolocker.AF (Symantec) Ransom_LOCKY.A (Trend Micro)
Type	Trojan
Subtype	Ransomware
Author(s)	Necurs

Locky is ransomware malware released in 2016. It is delivered by email (that was allegedly an invoice requiring payment) with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of garbage, and it includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, the macros then save and run a binary file that downloads the actual encryption trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination with the .locky file extension. After encryption, a message (displayed on the user's desktop) instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information. The Web site contain instructions that demand a payment of between 0.5 and 1 bitcoin (one bitcoin varies in value between 500-1000 Euros via a bitcoin exchange). Since the criminals possess the private key and the remote servers are controlled by them, the victims are motivated to pay to decrypt their files.

The most commonly reported mechanism of infection involves receiving an email with a Microsoft Word document attachment that contains the code. The document is gibberish, and prompts the user to enable macros to view the document. Enabling macros and opening the document launch the Locky virus. Once the virus is launched, it loads into the memory of the users system, encrypts documents as hash.locky files, installs .bmp and .txt files, and can encrypt network files that the user has access to. This has been a different route than most ransomware since it uses macros and attachments to spread rather than being installed by a Trojan or using a previous exploit.

On June 22, 2016, Necurs released a new version of Locky with a new loader component, which includes several detection-avoiding techniques, such as detecting whether it is running within a virtual machine or within a physical machine, and relocation of instruction code.

Since Locky was released there have been numerous variants released that used different extensions for encrypted files. Many of these extensions are named after gods of Norse and Egyptian mythology. When first released, the extension used for encrypted files was .Locky. Other versions utilized the .zepto, .odin, .shit, .thor, .aesir, and .zzzzz extensions for encrypted files. The current version, released in December 2016, utilizes the .osiris extension for encrypted files.

...
Wikipedia