LLMpediaThe first transparent, open encyclopedia generated by LLMs

Locky

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: NotPetya Hop 4
Expansion Funnel Raw 52 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted52
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Locky
NameLocky
TypeRansomware
First reported2016
TargetsMicrosoft Windows
OriginLikely phishing campaigns
Notable incidentsHollywood Presbyterian Medical Center attack, various municipal and corporate infections

Locky

Locky is a family of ransomware that emerged in 2016 and rapidly became one of the most prolific encryptors targeting Microsoft Windows endpoints, corporate networks, and enterprise backups. Distributed primarily via large-scale phishing campaigns, exploit kits, and often through commodity malspam infrastructure, Locky encrypts files and demands payment in Bitcoin for decryption, using evolving file extensions and obfuscation techniques to evade detection. Security vendors, incident response firms, and law enforcement agencies documented multiple waves and variants that illustrate typical trends in modern cybercrime operations and ransomware-as-a-service models.

Overview

Locky first attracted widespread attention after coordinated outbreaks in early 2016 affected hospitals, corporations, and public institutions, leading to significant operational disruption and ransom payments. Analysts at firms such as Symantec, Trend Micro, Kaspersky Lab, McAfee, and FireEye traced initial campaigns to mass-emailing botnets and maliciousOffice attachments leveraging social-engineering lures tied to invoices, shipping notices, and spoofed communications from organizations like DHL, UPS, and financial firms. The actor(s) behind Locky implemented rapid iteration of payloads, file-extension schemes (for example, .locky, .zepto, .odin), and network propagation mechanisms, prompting coordinated responses from incident responders at companies including Microsoft and security research groups at BleepingComputer and the Malwarebytes research team.

Technical details

Locky employs multi-stage infection chains beginning with a weaponized document or archive containing an obfuscated Visual Basic for Applications macro, a malicious JavaScript dropper, or an executable delivered by exploit frameworks. Early variants used macros embedded in Microsoft Office documents to execute PowerShell or download payloads from compromised web servers hosted on providers like Amazon Web Services or OVH. After execution, Locky typically performs file enumeration across local drives and mapped network shares, encrypting files with strong asymmetric and symmetric cryptography and appending distinct file extensions. Locky has used techniques such as process hollowing, code injection into legitimate processes like svchost.exe or explorer.exe, and registry persistence via Run keys. Some variants attempted to disable Windows Defender services and shadow-copy deletion using built-in utilities such as vssadmin and schtasks to frustrate recovery. Communication with command-and-control infrastructure was often via encrypted HTTP(s) to domains hosted through bulletproof hosting providers or anonymizing networks, while ransom notes directed victims to Tor .onion sites for payment instructions and private key retrieval.

Distribution and variants

Distribution vectors for Locky included malspam relayed through botnets like Necurs and malvertising funnels tied to compromised ad networks. Notable variants identified by the security community included those labeled with extensions such as .locky, .zepto, .odin, .thor, .zzzzz, and .ykcol, each representing changes in encryption routines, delivery mechanisms, or obfuscation layers. Analysts from Cisco Talos, ESET, CrowdStrike, and Palo Alto Networks documented these shifts, mapping campaigns to different threat clusters and affiliate groups in ransomware-as-a-service ecosystems. Periodic declines in visible activity were followed by resurgences, often timed with updates to email templates, use of new exploit kits, or adoption of alternate monetization tactics including data exfiltration and double-extortion.

Impact and incidents

High-profile incidents attributed to Locky and contemporaneous ransomware strains included the Hollywood Presbyterian Medical Center outage, municipal service interruptions, and disruptions at small-to-medium enterprises across multiple countries. Victims spanned healthcare providers, legal firms, manufacturing plants, and educational institutions, with operational impacts such as canceled surgeries, offline billing systems, and lost productivity. Security vendors compiled incident reports summarizing ransom demands denominated in Bitcoin and response timelines for remediation. The economic and reputational damage prompted increased investment in backup strategies and incident readiness by organizations referenced by trade groups such as the Information Systems Audit and Control Association and standards bodies like NIST.

Detection and mitigation

Detection of Locky relies on multi-layered controls including email gateway filtering by vendors like Proofpoint and Mimecast, endpoint protection with behavioral heuristics from Sophos and SentinelOne, network-level anomaly detection by Arbor Networks and Darktrace, and proactive threat-hunting from managed detection and response providers. Mitigation best practices promoted by agencies such as CERT Coordination Center and national cybersecurity centers include disabling macros by default in Microsoft Office, enforcing least privilege, segmenting networks, implementing immutable offline backups, and maintaining up-to-date patching for products from vendors like Microsoft and Adobe. Incident response playbooks recommended by SANS Institute and ENISA emphasize containment, forensic imaging, preservation of log sources, and legal coordination before considering payment.

Law enforcement agencies including Europol, the FBI, and national cybercrime units coordinated intelligence sharing and takedown operations targeting botnets, malware distribution infrastructure, and cryptocurrency money-laundering channels. International cooperation with private-sector partners enabled seizure of domains and disruption of hosting providers abused by ransomware operators. Prosecutorial actions and asset-recovery efforts often involved banking regulators and cryptocurrency exchanges such as Coinbase and Bitstamp to trace payments; however, attribution and successful prosecutions against core operators remained challenging due to anonymizing technologies, transnational jurisdictions, and affiliate-driven business models. Ongoing policy discussions within bodies like the United Nations and the European Commission have focused on strengthening cybercrime conventions and improving public–private collaboration to reduce ransomware harms.

Category:Ransomware