Locky Ransomware: Stay Protected From Email Threats

Locky ransomware appeared in 2016 and quickly became a major threat. It encrypted files on a victim’s computer and then demanded payment in Bitcoin to unlock them. Even though Locky is almost ten years old, it is still important to understand how it works. Variants are still around, old infections can remain on systems, and the phishing tricks it introduced are still used by today’s ransomware groups.

What makes Locky particularly dangerous is its connection to the cybercrime group behind the Dridex banking trojan (also known as Evil Corp or TA505) and its massive distribution through the Necurs botnet. At its peak, Locky ransomware infected thousands of organizations globally, causing major data loss and disruptions for hospitals, banks, and small businesses.

Even though the email security landscape has evolved nowadays, the tactics Locky used, including spoofed sender addresses, malicious attachments, and social engineering, remain foundational to ransomware attacks. Strong email security controls and authentication protocols are essential first-line defenses against these threats.

What Is Locky Ransomware?

Locky ransomware is a crypto-ransomware strain that encrypts files on infected systems, rendering them inaccessible until a ransom is paid. Unlike data-stealing malware, Locky focuses solely on file encryption, using strong cryptographic algorithms to lock documents, images, databases, and backups.

Once encryption is complete, Locky demands payment in Bitcoin, typically ranging from 0.5 to 1 BTC, and provides a Tor-based payment portal where victims can supposedly purchase decryption keys. However, paying the ransom offers no guarantee of file recovery, and security experts universally advise against it.

Healthcare organizations were among Locky’s primary targets, with hospitals, medical practices, and health systems experiencing critical disruptions. Notable cases include Hollywood Presbyterian Medical Center, which paid $17,000 in Bitcoin after a Locky infection in February 2016. The ransomware doesn’t discriminate by organization size, as small businesses with limited cybersecurity resources proved just as vulnerable as larger enterprises.

Locky employs several sophisticated evasion techniques, including obfuscated JavaScript payloads, dynamic command-and-control server addresses, and rapid variant releases to bypass signature-based detection. These methods allowed it to remain effective even as security vendors updated their defenses.

Important variants

Locky quickly developed into many variants, each built to avoid detection and reach more victims. These versions are mainly identified by the file extensions they leave behind:

• .locky – Original variant that launched in February 2016
• .zepto – Released in June 2016 with improved anti-analysis features
• .odin – October 2016 variant using RSA and AES encryption
• .thor – November 2016 with enhanced obfuscation
• .osiris – December 2016 featuring updated C2 infrastructure
• .aesir – Early 2017 variant with faster encryption routines
• .lukitus – 2017 resurgence variant distributed via fake invoices

Each variant introduced subtle changes to evade signature-based antivirus detection while maintaining the core infection and encryption mechanisms. The rapid release cycle (sometimes weekly) made it difficult for security vendors to keep pace with new samples.

How Locky Ransomware Works

Understanding Locky’s infection lifecycle helps organizations build effective defenses at each stage of the attack chain.

1. Delivery

Locky arrives via massive malicious spam campaigns designed to look like legitimate business communications. These emails impersonate invoices, payment notifications, delivery receipts, or order confirmations from well-known brands.

Attachments typically include Word documents (.doc, .docm), Excel spreadsheets (.xls, .xlsm), or ZIP archives containing JavaScript (.js) or Visual Basic Script (.vbs) files. The Necurs botnet distributed millions of these emails at Locky’s peak, with security researchers observing campaigns reaching into the hundreds of millions of messages, overwhelming spam filter systems with sheer volume.

Attackers used email spoofing to fake the sender address, making the messages look like they came from trusted contacts. Without proper email authentication protocols like SPF, DKIM, and DMARC, recipients had no reliable way to verify message authenticity.

2. Macro enabling

When victims open the malicious file, they see unreadable text and a message telling them to “Enable macros to view content” or “Enable editing to display document.”

This social engineering trick exploits users’ trust and desire to view what appears to be important business information. Microsoft Office disables macros by default for security reasons, but Locky’s operators crafted convincing lures to trick users into manually enabling them.

The moment macros are enabled, embedded scripts execute silently in the background (often within milliseconds) before users realize something is wrong.

3. Malware download

When macros are enabled, the script reaches out to a command-and-control (C2) server and downloads the real Locky ransomware. This two-step method helps attackers avoid detection because the email attachment contains only a small downloader, not the full ransomware.

The C2 server addresses change often, sometimes every hour, which makes it hard for security tools to block them. Locky’s developers used domain generation algorithms (DGAs) to create hundreds of potential C2 domains, ensuring that even if some were blocked, others remained accessible.

4. Encryption

After downloading, Locky immediately begins encrypting files using a combination of RSA-2048 (for key encryption) and AES-128 (for file encryption). This hybrid approach ensures that files cannot be decrypted without the attacker’s private key.

Locky targets various file types, including documents (.doc, .pdf, .txt), images (.jpg, .png), databases (.sql, .mdb), source code (.php, .java), and backups (.bak). It encrypts not only local drives but also mapped network shares and connected external storage devices.

Once encrypted, files are renamed with unique identifiers and variant-specific extensions. For example, document.docx might become A4B2C8D1-E5F6-7890-1234-56789ABCDEF0.locky, making it impossible to identify original filenames without the decryption key.

5. Ransom note

After encryption completes, Locky delivers its ransom note in multiple locations: as text files named _Locky_recover_instructions.txt in every affected folder and as a desktop wallpaper. The note contains instructions for accessing a Tor-based payment portal where victims can supposedly purchase decryption keys.

The payment page usually shows a countdown, often 72 hours, and warns that the price will go up or files may be lost if the victim waits too long. This creates fake urgency and pushes people to pay before getting help from security experts.

How to Prevent Locky Ransomware

Prevention is the only reliable defense against Locky. Most variants have no public decryptors, meaning encrypted files are permanently lost without backups or paying the ransom.

Spotting Locky early is hard because newer versions run quickly and hide their code to avoid traditional detection tools. This makes prevention far more important than trying to catch it after it’s already running.

Here are essential prevention measures:

• Implement email authentication protocols: Deploy SPF, DKIM, and DMARC to block spoofed malspam before it reaches inboxes. PowerDMARC provides automated setup, human-readable reports, and real-time threat alerts to make authentication accessible for organizations of any size.
• Enable advanced spam filtering: Use secure email gateways with attachment sandboxing, link rewriting, and behavioral analysis to catch malicious emails that bypass authentication checks.
• Disable macros by default: Configure Microsoft Office to disable macros in files from the internet and require digital signatures for trusted macros.
• Maintain regular patching: Keep operating systems, applications, and security software current with the latest updates to close known vulnerabilities.
• Train staff on phishing awareness: Provide regular security training so employees learn to spot suspicious emails, avoid unexpected attachments, and never enable macros in documents they weren’t expecting.
• Maintain offline backups: Keep regular, disconnected backups of critical data following the 3-2-1 rule (three copies, two media types, one offsite).
• Deploy endpoint protection: Use reputable anti-malware solutions with behavioral analysis, ransomware-specific detection, and automatic remediation capabilities.

Locky is fundamentally an email-borne attack vector. Organizations that implement strong email authentication with tools like PowerDMARC’s DMARC Checker, SPF Record Checker, and DKIM Checker can validate their authentication configuration and significantly reduce exposure to spoofed malspam campaigns.

How to Remove Locky If You’re Already Infected

If you suspect a Locky infection, immediate action can prevent further damage and stop it from spreading to other devices. Follow these steps carefully:

1. Isolate the infected system immediately: Disconnect from the network (unplug the Ethernet cable and disable Wi-Fi) to stop Locky from reaching shared drives or spreading to other devices.
2. Disconnect external storage: Remove all USB drives, external hard drives, and mapped network shares to protect backup data from encryption.
3. Use a clean device for recovery tools: Download reputable anti-malware software (Malwarebytes, Kaspersky Rescue Disk, or similar) from an uninfected computer and transfer via a clean USB drive.
4. Boot into Safe Mode: Restart the infected system in Safe Mode with Networking to prevent Locky from loading during startup.
5. Run a full system scan: Execute comprehensive anti-malware scans to detect and remove Locky executables, processes, and registry entries.
6. Do not pay the ransom: Paying ransoms funds criminal operations and provides no guarantee of file recovery. Many victims who paid never received working decryption keys.

Critical clarification: Removing Locky stops further encryption and prevents spread to other systems, but it does not decrypt already-encrypted files. File recovery requires either secure backups or the attacker’s private decryption key (which is rarely provided even after payment).

How to Restore Your Systems After a Locky Attack

System restoration after a Locky attack depends entirely on having safe, verified backups. Most Locky variants use unbreakable encryption, in which case, without backups, encrypted files are permanently lost.

Organizations should follow a structured recovery process to recover from a ransomware attack:

1. Verify backup integrity: Before restoring, confirm that backups are complete, uncorrupted, and free from ransomware (test restore on an isolated system first).
2. Restore from offline backups: Use the most recent clean backup taken before the infection occurred. Prioritize mission-critical data and systems first.
3. Rebuild compromised machines: For heavily infected systems, complete OS reinstallation may be safer than attempting to clean existing installations.
4. Reset all credentials: Change passwords for all user accounts, service accounts, and administrative credentials. Check for unauthorized access attempts or lateral movement indicators.
5. Implement enhanced security policies: Before bringing systems back online, strengthen defenses to prevent reinfection. This includes email authentication, endpoint protection, and network segmentation.
6. Audit email security posture: Review and improve email authentication controls. Ensure SPF, DKIM, and DMARC are properly configured to prevent spoofed malspam from reaching users again.

The vast majority of Locky variants have no public decryptors available. Security researchers occasionally release free decryption tools for older ransomware strains, but Locky’s encryption remains unbroken for most variants. Prevention and backup strategies are the only reliable defenses.

Locky’s Roadmap for Better Security

Locky ransomware is still an important example for understanding how ransomware has evolved and why layered security is essential. Large Locky outbreaks have faded since 2017, but the tactics it introduced, such as mass malspam distribution, social engineering via macro-enabled documents, and aggressive file encryption, continue to influence modern ransomware families.

The core lesson from Locky is clear: prevention through robust email security combined with user vigilance is your strongest defense. Organizations cannot rely on detecting ransomware after infection, as by that point, critical files may already be encrypted.

Today’s security tools are much better at stopping email-based attacks. Properly set up DMARC, SPF, and DKIM can block spoofed emails used to spread ransomware like Locky. AI-powered threat intelligence, behavior-based detection, and strong endpoint protection add even more layers of defense.

PowerDMARC helps organizations build this critical first line of defense with automated DMARC implementation, real-time threat alerts, and expert support. Our platform makes email authentication accessible for businesses of any size, protecting against spoofing, phishing emails, and ransomware delivery before threats reach your users’ inboxes.

Book a DMARC demo to see how PowerDMARC can protect your domains from ransomware and other email-based threats.

Frequently Asked Questions (FAQs)

How to decrypt Locky ransomware?

Most Locky variants use unbreakable RSA-2048 encryption with no public decryptors available. The only reliable recovery method is restoring from clean, offline backups.

How does Locky ransomware spread on a device?

Locky spreads when users open malicious email attachments and enable macros, which downloads the ransomware executable that encrypts files on local drives and accessible network shares.

How can I recognize and avoid ransomware attacks?

Be cautious with emails that have unexpected attachments, like surprise invoices or payment requests, and never enable macros in documents you weren’t expecting. Always check that the sender is real, and use encrypted email whenever you can.

• About
• Latest Posts

Ayan Bhuiya

Shift Lead, Infrastructure & Email Security Expert at PowerDMARC

With over 13 years of experience in Cyber Security, Ayan Bhuiya specializes in Infrastructure, Business Continuity, Risk Management, and Email Security. Currently acting as Shift Lead at PowerDMARC. He holds a Postgraduate Diploma in Networking and Security and has a proven track record of leading strategic security initiatives to mitigate threats and ensure business resilience.

Latest posts by Ayan Bhuiya (see all)

• Locky Ransomware: Stay Protected From Email Threats - December 11, 2025
• Top 9 DMARC Providers in the Market - November 30, 2025
• How to Set Up SPF, DKIM, and DMARC for One.com - November 26, 2025