Locky ransomware: All you should know about malware with no decryption tool

Locky was the 'patient zero' of the ransomware epidemic that hit the world in 2017

WannaCry and Petya have competition, and it's the latest strain of ransomware to assail computers. On Sunday, the Indian Computer Emergency Response Team (CERT-In) issued an alert on the spread of the 'Locky Ransomware' that can lock computers and demands a ransom for unlocking them. 

However, Locky is not so much a 'new kid on the block' as it is the 'comeback king' among malwares. According to reports, the Locky ransomware's re-emergence with a new email distribution campaign has been touted as one of the largest malware campaigns in the latter half of 2017.

The ransomware, once considered almost defunct, sent over 23 million emails with the malware to the US workforce in just 24 hours on August 28, news agency IANS reported while citing zdnet.com. 

According to reports, the latest version of the ransomware is yet to be cracked and, thus, free decryption tools are not available at the moment.

What is Locky? 

Locky, according to zdnet.com, rose to prominence in 2016 following a number of high-profile infections. In fact, the website describes it as "one of the most successful families of ransomware of all time".  

Further, the malware appears to have evolved. According to another zdnet.com report from August this year, the new Locky campaign began on August 9. Citing researchers from Malwarebytes, the report said that in the new campaign, the malware was being distributed with a new file extension called Diablo6.
 

Further, the report said that another new variant that adds the extension '.Lukitus' to encrypted files is also doing the rounds. 

Citing a study by Google researchers, theverge.com reported in July this year that Locky was, in fact, the "patient zero" of the ransomware epidemic that hit the world in 2017. 

Further, Locky, or its makers, appear to have been pioneers in the ransomware world. The same news report explained that Locky was the first ransomware programme that kept its "payment and encryption infrastructure" separate from the groups that were distributing it. This compartmentalisation, according to the report, allowed the malware to spread "farther and faster than its competitors". 

How does it work?

The ransomware spreads through the help of spam emails that are sent to unsuspecting people with innocuous subject lines. According to zdnet.com, the malware is hidden in a ZIP file containing a Visual Basic Script (VBS) file. Once a person clicks on the file, the report explains, the latest version of the Locky ransomware (the Lukitus variant) gets downloaded and encrypts all the files on the computer.

"Reports indicate that over 23 million messages have been sent in this campaign. The messages contain common subjects like 'please print', 'documents', 'photo', 'Images', 'scans' and 'pictures'. However, the subject texts may change in targeted spear phishing campaigns," the CERT-In alert, which described the severity of the ransomware as "high", said.

According to the report, once the infection takes hold, a ransom note demanding 0.5 bitcoin (close to Rs 1,50,000) is presented to the victim. The 'payment' is meant to buy a "special software" in the form of a "Locky decryptor", which the victim needs to get their files back.

Further, instructions on downloading and installing the Tor browser and how to buy Bitcoin are provided by the attackers in order to ensure victims can make the payment.