Threat Research

Locky ransomware is far from dead

Alexej Savčin, 19 May 2016

Locky is ransomware targeting PCs in small businesses. Avast detects and protects you from this ransomware. Read more about how it works.

Avast Antivirus solutions protect against Locky ransomware.

A brief update on Locky, the latest ransomware targeting PCs:

Beware of emails from random email addresses with subject lines like “Upcoming Payment – 1 Month Notice”. These emails typically come with a zip attachment that attackers have created to run a script that downloads and runs the now well-known ransomware, Locky. These phishing emails prove that Locky is not going anywhere anytime soon.

The emails are written in typical phishing style. The attacker tries to entice a potential victim to read the email and subsequently download the attachment. Attackers seem to be targeting small and medium sized businesses, to gain access to valuable company data.   

Locky_email_content.pngContent of the email.

Locky_executable.png

After decrypting the malicious Javascript file that downloads the exe file, we discovered the URLs above.

Make_love_not_malware.png

Some URLs  just point to a nice message instead of malicious files 

Avast protects against Locky

We advise everyone to never open attachments from unverified sources. Most companies, banks, agencies, etc., don’t request personal information via email. If in doubt, give them a call (but don’t use the phone number contained in the email—that’s usually phony as well).

If you are an Avast user, don’t worry - we protect against Locky! We monitor new mailing campaigns on a daily basis and based on that create new URL detections to protect our consumer and business users.