Locky is an extremely notorious, historically devastating strain of enterprise ransomware that first appeared in 2016. It was responsible for some of the most widespread and costly cyberattacks globally, notoriously shutting down hospitals and large corporations. While its prevalence has declined in favor of more modern targeted ransomware (like Conti or LockBit), its aggressive encryption algorithms, rapid network propagation capabilities, and sophisticated evasion techniques made it a defining threat of the modern ransomware era.
Infection Vector and Technical Capabilities
At its peak, Locky was distributed by the massive Necurs botnet, utilizing unprecedented volumes of malspam. Emails typically contained weaponized Word documents with malicious macros, or ZIP files containing highly obfuscated JavaScript downloaders.
Locky's technical execution is ruthlessly efficient:
Aggressive File Encryption: Upon execution, Locky generates a unique RSA-2048 and AES-128 key pair. It rapidly scans all local drives and, critically, all accessible network shares (even unmapped ones), encrypting over 160 different file extensions. Encrypted files are renamed, famously appending the `.locky`, `.zepto`, or `.osiris` extension.
Shadow Copy Deletion: To prevent easy recovery, Locky executes `vssadmin.exe Delete Shadows /All /Quiet`, destroying all local Windows Volume Shadow Copies before the user realizes an attack is occurring.
Domain Generation Algorithm (DGA): Locky utilized a complex DGA to locate its Command and Control (C2) servers for key exchange. This made it highly resilient against simple DNS sinkholing or IP blocklists, as it could generate and attempt to contact thousands of new domains daily.
Threat Assessment
A Locky infection is a catastrophic "Code Red" event. It results in immediate, widespread data loss and operational paralysis. Because it aggressively targets network shares, a single compromised workstation can encrypt the entire corporate file server infrastructure within minutes.
Incident Response and Remediation
Total Network Severance (Pull the Plug): If active Locky encryption is detected, the absolute highest priority is to physically disconnect the infected machine(s) and take critical file servers offline immediately to halt the spread of the encryption across the SMB network.
Identify Patient Zero: Utilize EDR and firewall logs to identify the initial infected host and the delivery mechanism (usually an opened email attachment) to understand the breach vector.
Restore from Offline Backups: Do not pay the ransom. Locky remediation requires completely wiping all affected machines and file servers, rebuilding the OS, and restoring all data from secure, offline backups that were not connected to the network during the attack.
Known aliases
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1486T1490T1568.002
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.