{
	"id": "f36d85b6-f706-4bd8-9ec8-0488c5364c62",
	"created_at": "2026-04-06T00:06:12.948683Z",
	"updated_at": "2026-04-10T13:11:52.015623Z",
	"deleted_at": null,
	"sha1_hash": "d5786508d743afee5dbe497e7a799845911e7182",
	"title": "Locky",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 148328,
	"plain_text": "Locky\r\nBy Contributors to Wikimedia projects\r\nPublished: 2016-07-08 · Archived: 2026-04-05 12:58:07 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nLocky\r\nMalware details\r\nAliases\r\nRansom:Win32/Locky.A (Microsoft)\r\nTrojan.Encoder.3976 (Dr.Web)\r\nWin32/Filecoder.Locky.A (ESET)\r\nMalicious_Behavior.VEX.99 (Fortinet)\r\nTrojan.Win32.Filecoder (Ikarus)\r\nTrojan-Ransom.Win32.Locky.d (Kaspersky Lab)\r\nTrojan.Cryptolocker.AF (Symantec)\r\nRansom_LOCKY.A (Trend Micro)\r\nType Trojan\r\nSubtype Ransomware\r\nAuthor Necurs\r\nLocky is ransomware malware released in 2016. It is delivered by email (that is allegedly an invoice requiring\r\npayment) with an attached Microsoft Word document that contains malicious macros.\r\n[1]\r\n When the user opens the\r\ndocument, it appears to be full of gibberish, and includes the phrase \"Enable macro if data encoding is incorrect,\"\r\na social engineering technique. If the user does enable macros, they save and run a binary file that downloads the\r\nactual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to\r\na unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted\r\nfiles. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After\r\nencryption, a message (displayed on the user's desktop) instructs them to download the Tor browser and visit a\r\nspecific criminal-operated Web site for further information.\r\nThe website contains instructions that demand a ransom payment between 0.5 and 1 bitcoin (as of November\r\n2017, one bitcoin varies in value between $9,000 and $10,000 via a bitcoin exchange). Since the criminals possess\r\nthe private key and the remote servers are controlled by them, the victims are motivated to pay to decrypt their\r\nfiles.[2][3][4] Cryptocurrencies are very difficult to trace and are highly portable.[5]\r\nhttps://en.wikipedia.org/wiki/Locky\r\nPage 1 of 4\n\nEncrypted File\r\nThe most commonly reported mechanism of infection involves receiving an email with a Microsoft Word\r\ndocument attachment that contains the code. The document is gibberish, and prompts the user to enable macros to\r\nview the document. Enabling macros and opening the document launch the Locky virus.[6] Once the virus is\r\nlaunched, it loads into the memory of the users system, encrypts documents as hash.locky files, installs .bmp and\r\n.txt files, and can encrypt network files that the user has access to.[7] This has been a different route than most\r\nransomware since it uses macros and attachments to spread rather than being installed by a Trojan or using a\r\nprevious exploit.[8]\r\nOn June 22, 2016, Necurs released a new version of Locky with a new loader component, which includes several\r\ndetection-avoiding techniques, such as detecting whether it is running within a virtual machine or within a\r\nphysical machine, and relocation of instruction code.[9]\r\nSince Locky was released there have been numerous variants released that used different extensions for encrypted\r\nfiles. Many of these extensions are named after gods of Norse and Egyptian mythology. When first released, the\r\nextension used for encrypted files was .Locky. Other versions utilized the .zepto, .odin, .shit, .thor, .aesir, and\r\n.zzzzz extensions for encrypted files. The current version, released in December 2016, utilizes the .osiris extension\r\nfor encrypted files.[10]\r\nDistribution methods\r\n[edit]\r\nMany different distribution methods for Locky have been used since the ransomware was released. These\r\ndistribution methods include exploit kits,[11] Word and Excel attachments with malicious macros,[12] DOCM\r\nattachments,[13] and zipped JS attachments.[14]\r\nThe general consensus among security experts to protect yourself from ransomware, including Locky, is to keep\r\nyour installed programs updated and to only open attachments from known senders.\r\nThe Locky uses RSA-2048 + AES-128 cipher with ECB mode to encrypt files. Keys are generated on the server\r\nside, making manual decryption impossible, and Locky ransomware can encrypt files on all fixed drives,\r\nremovable drives, network and RAM disk drives.[15]\r\nLocky is reported to have been sent to about a half-million users on February 16, 2016, and for the period\r\nimmediately after the attackers increased their distribution to millions of users.[16] Despite the newer version,\r\nGoogle Trend data indicates that infections have dropped off around June 2016.[17]\r\nhttps://en.wikipedia.org/wiki/Locky\r\nPage 2 of 4\n\nOn February 18, 2016, the Hollywood Presbyterian Medical Center paid a $17,000 ransom in the form of bitcoins\r\nfor the decryption key for patient data.[18] The hospital was infected by the delivery of an email attachment\r\ndisguised as a Microsoft Word invoice.[19] This has led to increased fear and knowledge about ransomware in\r\ngeneral and has brought ransomware into public spotlight once again. There appears to be a trend in ransomware\r\nbeing used to attack hospitals and it appears to be growing.[20]\r\nOn May 31, Necurs went dormant, perhaps due to a glitch in the C\u0026C server.\r\n[citation needed][original research?]\r\nAccording to Softpedia, there were less spam emails with Locky or Dridex attached to it. On June 22, however,\r\nMalwareTech discovered Necurs's bots consistently polled the DGA until a C\u0026C server replied with a digitally\r\nsigned response. This signified Necurs was no longer dormant. The cybercriminal group also started sending a\r\nvery large quantity of spam emails with new and improved versions of Locky and Dridex attached to them, as well\r\nas a new message and zipped JavaScript code in the emails.[9][21]\r\nIn Spring 2016, the Dartford Grammar School and Dartford Science \u0026 Technology College computers were\r\ninfected with the virus. In both schools, a student had opened an infected email which quickly spread and\r\nencrypted many school files. The virus stayed on the computer for several weeks. Eventually, they managed to\r\nremove the virus by using System Restore for all of the computers.\r\nAn example message with Locky as an attachment is the following:\r\nDear (random name):\r\nPlease find attached our invoice for services rendered and additional disbursements in the above-mentioned\r\nmatter.\r\nHoping the above to your satisfaction, we remain\r\nSincerely,\r\n(random name)\r\n(random title)\r\n1. ^ Sean Gallagher (February 17, 2016). \"\"Locky\" crypto-ransomware rides in on malicious Word document\r\nmacro\". arstechnica.\r\n2. ^ \"locky-ransomware-what-you-need-to-know\". Archived from the original on 19 December 2019.\r\nRetrieved 26 July 2016.\r\n3. ^ \"locky ransomware\". 6 April 2016. Retrieved 26 July 2016.\r\n4. ^ \"Locky ransomware: How this malware menace evolved in just 12 months\". ZDNET. Retrieved 2023-06-\r\n22.\r\n5. ^ Ryan, Matthew (2021-02-24). Ransomware Revolution: The Rise of a Prodigious Cyber Threat. Springer\r\nNature. ISBN 978-3-030-66583-8.\r\n6. ^ Paul Ducklin (February 17, 2016). \"Locky ransomware: What you need to know\". Naked Security.\r\nArchived from the original on December 19, 2019. Retrieved July 26, 2016.\r\nhttps://en.wikipedia.org/wiki/Locky\r\nPage 3 of 4\n\n7. ^ Kevin Beaumont (February 17, 2016). \"Locky ransomware virus spreading via Word documents\".\r\nMedium.\r\n8. ^ Krishnan, Rakesh. \"How Just Opening an MS Word Doc Can Hijack Every File On Your System\".\r\nRetrieved 30 November 2016.\r\n9. ^ Jump up to: a\r\n \r\nb\r\n Spring, Tom (23 June 2016). \"Necurs Botnet is Back, Updated With Smarter Locky\r\nVariant\". Kaspersky Lab ZAO. Retrieved 27 June 2016.\r\n10. ^ \"Locky Ransomware Information, Help Guide, and FAQ\". BleepingComputer. Retrieved 9 May 2016.\r\n11. ^ \"AFRAIDGATE RIG-V FROM 81.177.140.7 SENDS \"OSIRIS\" VARIANT LOCKY\". Malware-Traffic.\r\nRetrieved 23 December 2016.\r\n12. ^ Abrams, Lawrence. \"Locky Ransomware switches to Egyptian Mythology with the Osiris Extension\".\r\nBleepingComputer. Retrieved 5 December 2016.\r\n13. ^ \"Locky Ransomware Distributed Via DOCM Attachments in Latest Email Campaigns\". FireEye.\r\nRetrieved 17 August 2016.\r\n14. ^ \"Locky Ransomware Now Embedded in Javascript\". FireEye. Retrieved 21 July 2016.\r\n15. ^ \"Locky ransomware\". Retrieved 8 September 2017.\r\n16. ^ \"locky ransomware threats\". Archived from the original on 28 August 2016. Retrieved 26 July 2016.\r\n17. ^ \"Google Trends\". Google Trends. Retrieved 2016-08-14.\r\n18. ^ Richard Winton (February 18, 2016). \"Hollywood hospital pays 17,000 bitcoin to hackers; FBI\r\ninvestigating\". LA Times.\r\n19. ^ Jessica Davis (February 26, 2016). \"Meet the most recent cybersecurity threat: Locky\". Healthcare IT\r\nNews.\r\n20. ^ Krishnan, Rakesh. \"Ransomware attacks on Hospitals put Patients at Risk\". Retrieved 30 November\r\n2016.\r\n21. ^ Loeb, Larry. \"Necurs Botnet Comes Back From the Dead\". Security Intelligence. Retrieved 27 June\r\n2016.\r\nSource: https://en.wikipedia.org/wiki/Locky\r\nhttps://en.wikipedia.org/wiki/Locky\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Locky"
	],
	"report_names": [
		"Locky"
	],
	"threat_actors": [],
	"ts_created_at": 1775433972,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d5786508d743afee5dbe497e7a799845911e7182.pdf",
		"text": "https://archive.orkl.eu/d5786508d743afee5dbe497e7a799845911e7182.txt",
		"img": "https://archive.orkl.eu/d5786508d743afee5dbe497e7a799845911e7182.jpg"
	}
}