Locky – New Crypto Ransomware in the Wild

Last week,  a new ransomware variant called Locky began spreading in the wild.

Locky encrypts data on an infected system using AES encryption, and then leaves a blackmail letter (which is localized in several languages) asking for half a bitcoin to get your data back. More disturbingly, it also searches for any network share (not just mapped shares), and encrypts data on those remote shares as well. If you leverage cloud storage solutions, your backup may get infected as well when it synchronizes the encrypted files. Currently, researchers have not found a way to decrypt files Locky has locked.


Locky ransom warining

Figure 1: Example of Locky’s ransom warning.

Kevin Beaumont, one of the security researchers studying this ransomware, managed to intercept some of the domains Locky uses for its Command & Control (C&C) channel. This allowed him to estimate infection rates, and he found Locky seems to infect over 100,000 victims per day. Infection rates varied by country, lead by Germany with around 5000 new infections per hour at its peak.

In most cases, Locky arrives in an email that includes an Office document with a malicious macro. If you open the document, it tries to infect you with the ransomware. Other variants sometimes arrive as a .zip file, which contains some malicious Javascript. The emails are mainly fake invoices.

Last Thursday, I personally received a variant of Locky in an attachment called “Rechnung-263-0779.xls” (which is German for “invoice”) in a Spam inbox. I decided to use this file to analyze all the ways WatchGuard’s unified threat management (UTM) appliances could stop this brand new ransomware.

To start, I uploaded the infected file to www.virustotal.com to see which antivirus (AV) vendors had a signature available. As the email was already in my inbox for over 24 hours, 26 out of 55 AV scanners were able to detect it. AVG—the AV engine WatchGuard uses for Gateway AntiVirus (GAV)—was on that list. So right away, WatchGuard’s GAV service can block this particular variant from reaching our customers.

VirusTotal Results

Figure 2: VirusTotal results for my Locky variant

Nowadays, malware changes and evolves quickly, which is why signature-based AV often can’t keep up with the latest threats. To combat this problem, WatchGuard offers another layer of protection to detect brand new, never before seen malware files. We call this solution APT Blocker. I also ran this ransomware variant through our next-gen sandbox, to see whether or not APT Blocker detected the file’s bad behavior. It did! The malicious “invoice” file received a score of 99/100 which represents a high risk. It’s particularly important to understand the added benefit of the APT blocker solution. Even if the file used to deliver Locky changes, its behaviors won’t. That’s why this solution can catch new things signatures might miss.

APT Blocker

Figure 3: APT Blocker sandbox detects Locky


Another question came to my mind: What happens if the ransomware is already in place, or reaches the system from another source (e.g. USB drive)?

As I mentioned earlier, Kevin Beaumont managed to identify some of the domains Locky uses for its for C&C connections. WebBlocker, the URL categorization service in WatchGuard Fireware, treats them as subcategories of  “Security” or “Extended Protection”.  If you block these categories with WebBlocker, it prevents Locky from calling home, and also helps you identify systems that have gotten infected. To verify this, I entered one of Locky’s known C&C domains into our online tool to confirm that we indeed list it as a known bot network channel.


Figure 4: WatchGuard WebBlocker recognizes Locky domain as malicious

Once I verified that many of our UTM’s security services could detect Locky, I ran through one last test… I personally tried to download the malicious file “Rechnung-263-0779.xls” from my webmail.

I’ve configured my WatchGuard Firebox with HTTPS Deep Inspection. This feature allows WatchGuard’s security services, such as GAV and Intrusion Prevention Service (IPS), to run security scans even on encrypted web traffic, like the webmail I was using to download this ransomware. Despite the encrypted webmail connection, our Firebox detected and blocked the Locky invoice file with the GAV service. It was unable to reach my workstation.

As you can see, WatchGuard XTM and Firebox appliances have several features that can help prevent ransomware like Locky. However, these protections only work if you turn them on and configure them properly. If you want to keep Locky off your network , I highly recommend you read the Knowledgebase Article “How to prevent ransomware and other malicious malware with your Firebox” — Jonas Spieckermann


Reference Section:


9 Responses to “Locky – New Crypto Ransomware in the Wild”

  1. Excellent write-up. Nice to see details behind the behaviors of a new Ransomware variant.

  2. I remediated several cases of “Locky” last week. Pretty much the same ransomware I have seen before they just changed up where it is in the registry…

    Good to know it has been identified.

  3. AppLocker is another great line of defense if anything liek this does manage to get through

  4. Jonas, I have a firewall noob question. If this malicious email made it into your spam folder and you had opened it from outlook or another non-webmail application, isn’t the file effectively on your system? When you try to open it up at that point, do any of the above mentioned services actually do anything to prevent you from getting infected if you have macros enabled?

    • Ben,

      I’ll try to response in lieu of Jonas. This really depends on the settings of your firewall. If you are using a WatchGuard Firebox, with all the UTM services, there is a good chance our GAV or APT Blocker services would strip the Word or Excel attachment even before the message gets “spammed”. So even if we saved the message in quarantine if we recognized it as spam, our proxies and security services may have already stripped the malicious attachment, in which case you could not recover it in quarantine.

      That said, if the attachment itself does make it with the message, then yes, if your user opened the attachment from quarantine they could get infected. In that case, though, our Firebox may actually recognize the command and control call home with Web Blocker (as Jonas mentioned) so at the very least, our reports could help you identify the infected computer in your network.

  5. hello is there anyway to decrypt the files affected by locky? not using shadow copies nor system restauration, but some decryptor software?

  6. Hello. My small office was infected yesterday with locky. We have run Malwarebytes, spybot, and they have found and eliminated many threats. However none of them were named anything similar to locky. Is there anyway to identify which computer on the small network (6 pcs’) is the infected station? I have followed the instruction I read to look at the owner of the “help” file, but each pc names that pc as the owner of the file. If I can identify the infected pc I can just remove it from the network. Thanks very much for any help with this.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: