Tech Tips

A Locky Ransomware Analysis From A Tech Perspective


Locky is a type of ransomware spread via malicious .doc, .xls or zip files attached to spam emails. These files contains macros which would look like scrambled text. Once the document is downloaded, so is the ransomware. Once Locky has run and infected the files on your computer, you won’t be able to access them, and these encrypted files will be given a new file name to a unique 16 letter and digit combination with different file extensions such as .diablo6, .locky, .odin, .zepto, .aesir, .thor or .osiris.

Moreover, this ransomware changes your desktop wallpaper with a message prompting you to pay a ransom in exchange for the recovery key.

So how does this malware really works? We’ll know in this Locky ransomware analysis.

Locky Ransomware Analysis

The process starts with a spam email which contains a fraudulent document attached to it which contains the malware. What attackers generally do is to use different names and attachments in every malicious e-mail, in order to dodge detection by security products.

This document contains macros which are enabled once the user clicks “enable content”. The code then executes and starts to infect your files.

Infected files will now be encrypted and are fully renamed. It  creates a unique ID of the victim starting with a 16 character name at the beginning, then a .locky extension that is known for this ransomware.

These files will now become inaccessible. Locky uses RSA and AES encryption to encrypt numerous files. It usually searches for various file types such as:  .pdf, .rar, .bat, .mpeg, .qcow2, .vmdk .tar.bz2, .djvu, .jpeg, .tiff, .class, .java, .SQLITEDB, .SQLITE3, .lay6, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .potx, .potm, .pptx, .pptm, .xltx, .xltm, .xlsx, .xlsm .asm, .c, .cpp, .h, .png, txt, .cs, .gif, .jpg, .rtf, .xml, .zip, .asc, .xlsb, .dotm, .dotx, .docm, .docx, wallet.dat, etc.

After Locky has finished encrypting the victim’s files, it will display a ransom note in the form of text and bitmap set as the victim’s wallpaper. The message can be localized depending on the victim’s location detected in the system.

The victim will also get a web page that contains more instructions on how to make the payment.

Unfortunately, there are no tools yet capable of decrypting files affected by this malware.

So what does Locky ransomware usually attack? There are 3 types of local drives: fixed, removable and RAM disks. Network resources are also commonly attacked.


Seeing how MS docs play a role in the spread of this malware, it is important to consider the risks distinctive to using macros in Microsoft office documents, and it’s ability to compromise personal or work files, or worse, an entire corporate network.

It is very important that users be informed about the trends in cyber security and computer crime, most especially the effects of ransomware and other threats. Most importantly, is to have an up-to-date, properly configured anti-virus/ anti-malware software as your first line of defense against this kind of malicious threats from damaging your systems.




Bill Gordon

Bill Gordon has been writing on tech and malware subjects for 6 years and has been working in the internet and tech industry for over 15 years. He currently lives in Southern California.

Related Articles

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button