Trojan-Downloader:W97M/Locky

Classification

Category :

Malware

Type :

Trojan-Downloader

Platform :

W97M

Aliases :

Trojan-Downloader:W97M/Locky.[variant], Locky.[variant]

Summary

Trojan-Downloader:W97M/Locky is ransomware that encrypts files saved on the machine and demands payment of a ransom in order to obtain the decryption key needed to restore normal access to the affected files.

Removal

F-Secure detects ransomware using a variety of signature and generic detections. Once detected, the F-Secure security product will automatically remove the file.

Further action

If the ransomware uses encryption to take files or an entire system hostage, the encryption may be sufficient to make it very difficult to decrypt the files without the necessary decryption key.

In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a recent clean backup.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Users typically encounter Locky ransomware by either being exposed to an exploit kit or via a spam email message with a file attachment.

Delivery via email

The most common way Locky ransomware is distributed is as a file attached to a email message. The emails may appropriate the names and/or branding of various legitimate companies to appear authentic. They will typically appear to be related to invoices, court orders or logistic/baggage related topics.

The attached files may be either zipped folders (.zip) containing a JavaScript (.js) file, or specially-crafted Microsoft Word document (.doc or .docx) files.

The zipped files may be identified by the related Trojan-Downloader:JS/Locky detection, while document files may be identified by the Trojan-Downloader:W97M/Locky detection.

Delivery via exploit kit

Locky ransomware can also be delivered as the payload of an exploit kit. If the user is exposed to a exploit kit (usually by visiting a compromised website, or by being redirected to a malicious one) and it successfully exploits the user's machine, the kit will download the ransomware and it will immediately run.

Encryption

Locky ransomware encrypt files stored on the machine. Depending on the specific variant, the encryption can be done using either the AES 128-bit or RSA 2048-bit encryption algorithms - which are extremely difficult to break.

Once the files are encrypted, a text file containing the ransom demand is saved on the system. In some variants, the desktop background is also changed to display the demand. The file will provide instructions on how to pay the ransom demanded.