{
  "family": "locky",
  "sample_count": 11,
  "category": "ransomware",
  "description": "Locky is a major ransomware family active primarily from 2016 to 2017 that became one of the most prevalent ransomware strains during that period. It encrypts files with RSA-2048 plus AES and appends extensions such as .locky, .zepto, .odin, and .thor across its variants. Locky was distributed at massive scale through the Necurs botnet using malicious Office documents and JavaScript attachments. Its operators retired around 2017, though Locky-derived code influenced subsequent ransomware families.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "zepto"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Locky?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Locky is a major ransomware family active primarily from 2016 to 2017 that became one of the most prevalent ransomware strains during that period. It encrypts files with RSA-2048 plus AES and appends extensions such as .locky, .zepto, .odin, and .thor across its variants. Locky was distributed at massive scale through the Necurs botnet using malicious Office documents and JavaScript attachments. Its operators retired around 2017, though Locky-derived code influenced subsequent ransomware families."
      }
    },
    {
      "@type": "Question",
      "name": "How does Locky spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Locky spread through massive phishing campaigns using malicious Word, Excel, and JavaScript attachments, peaking in 2016 before declining sharply."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Locky infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Files renamed with .locky, .zepto, .odin, or .aesir extensions, ransom notes named _Locky_recover_instructions.txt, and antivirus references to Locky are diagnostic."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Locky on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1566.001",
    "T1486",
    "T1490"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}