Locky

Category: ransomware · Aliases: Ransom.Locky, Win32/Locky, Trojan-Ransom.Win32.Locky · Sample count (EMBER 2018): 11 · Enrichment: curated_sourced · Updated: 2026-07-02T09:03:09Z

Overview

Executive Summary

Locky is an extremely notorious, historically devastating strain of enterprise ransomware that first appeared in 2016. It was responsible for some of the most widespread and costly cyberattacks globally, notoriously shutting down hospitals and large corporations. While its prevalence has declined in favor of more modern targeted ransomware (like Conti or LockBit), its aggressive encryption algorithms, rapid network propagation capabilities, and sophisticated evasion techniques made it a defining threat of the modern ransomware era.

Infection Vector and Technical Capabilities

At its peak, Locky was distributed by the massive Necurs botnet, utilizing unprecedented volumes of malspam. Emails typically contained weaponized Word documents with malicious macros, or ZIP files containing highly obfuscated JavaScript downloaders. Locky's technical execution is ruthlessly efficient:

Threat Assessment

A Locky infection is a catastrophic "Code Red" event. It results in immediate, widespread data loss and operational paralysis. Because it aggressively targets network shares, a single compromised workstation can encrypt the entire corporate file server infrastructure within minutes.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1486 T1490 T1568.002

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_LOCKY {
    meta:
        description = "Detects Locky (ransomware)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "locky" ascii wide nocase
        $s2 = "ransom.locky" ascii wide nocase
        $s3 = "win32/locky" ascii wide nocase
        $s4 = "trojan-ransom.win32.locky" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Locky Activity
id: a270bb19c22d88bd2a4046f1c304db2c
status: experimental
description: Detects generic indicators of the locky malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*locky*"
            - "*ransom.locky*"
            - "*win32/locky*"
            - "*trojan-ransom.win32.locky*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Locky?

Ransomware, first seen in early 2016, that encrypts files on Windows systems and demands a ransom; it is no longer active.

How was Locky distributed?

Through exploit kits and malicious spam emails carrying malicious attachments or downloaders.

How did Locky tell victims they were infected?

It displayed ransom-note instructions as both a desktop wallpaper and text files placed on the system.

Is Locky still a threat?

Per Malwarebytes, Locky is out of commission, though its history makes it a useful example of document/spam-based ransomware.

How can document- and spam-based ransomware like Locky be prevented?

Disable Office macros from untrusted sources, be cautious with email attachments, keep software patched, and maintain offline backups.

Where can I read an authoritative source on Locky?

Malwarebytes maintains a Ransom.Locky detection page, linked on this page.

Related Families (Category: ransomware)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/locky.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.