Locky ransomware: Why this menace keeps coming back

It's one of the most successful forms of ransomware. Here's why the Locky ransomware keeps disappearing - only to reappear again.
Written by Danny Palmer, Senior Writer

Why does this particular cyber threat keep rearing its ugly head?

Image: iStock

It was arguably the incident which pushed the threat of ransomware into the view of the whole world, over a year before the WannaCry outbreak.

In February 2016, the Hollywood Presbyterian Medical Center in Los Angeles, California became infected with Locky ransomware. The infection encrypted systems throughout the facility, locking staff out of computers and electronic records.

Eventually, the hospital paid a ransom of 40 Bitcoins - then equivalent to $17,000 - in order to acquire the decryption key to restore its data.

"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this," Allen Stefanek, presiden of the Hollywood Presbyterian Medical Center said at the time.

Locky went on to plague victims around the world during most of 2016 with many seeing no alternative beyond paying up.

This particular strain of ransomware was so prolific that by November it was one of the most common malware threats in its own right.

But then Locky disappeared in December 2016, prompting some cyber security researchers to suggest that those behind it simply went on a Christmas break. It eventually re-emerged in January, but only in a tiny fraction of instances compared to when it was at its height and infections have been spiking and dropping ever since.

For example, after months of almost zero-activity, the former king of ransomware suddenly returned in August and in a big way as millions of phishing emails containing a Locky payload suddenly flooded inboxes. Not only that, but potential victims are targeted with new strains of Locky - Diablo and Lukitus.

But why did this ransomware go so quiet in the first place?

Nobody knows who exactly is behind Locky, but the sophistication of the ransomware, and the strength of the underlying cryptography which researchers haven't been able to crack, points to it being the work of a highly professional group.

Like a legitimate software developer they're constantly working to update their product, and unlike other forms of ransomware, Locky isn't available 'as-a-service' for others to use, so it's possible the campaigns go quiet as those behind on it work on their code or experiment with new tactics.

"The respite we saw from Locky was likely just a planned pull-back on the attackers part. Like any organisation, they need to time to refine code and command-and-control infrastructure, plan new attack vectors, organise ransom payment collection methods and compile new lists of targets," said Troy Gill, manager of security research at AppRiver.

Each time Locky has briefly re-emerged before seemingly disappearing during the course of this year, it's been doing something a little different, suggesting that those behind it are experimenting.

For example a Locky spike in April saw the ransomware flirt with a new delivery technique with distribution via an infected PDFs instead of Office documents, a tactic associated with the Dridex malware botnet. So it could be that the ransomware simply goes offline as those behind it examine malware trends and how they can implement them into Locky for it to become more successful.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

"The timing of these comebacks matches closely with the introduction of new attributes such as the most recent Diablo and Lukitus extensions for attached files and the use of new distribution techniques involving PDF documents or phishing links," says Brendan Griffin, threat intelligence manager at PhishMe.

"These periods of Locky absence are used as a chance to build upon their successes and find new, smarter ways to deliver their ransomware".

Locky is distributed via the Necurs botnet - a zombie army of over five million hacked devices - and the ransomware appears to go off the radar when the botnet is used for other activity. For example, Necurs re-emerged following a period of inactivity in March with its power was harnessed to distribute email stock scams.

The following months saw the continuation of malicious activity, with Necurs shifting to the distribution of Jaff ransomware.

While less sophisticated than Locky, researchers believe Jaff and Locky to be connected. Not only do the Jaff decryptor website and the Locky decryptor websites look almost identical, but like Locky, the ransomware will delete itself from the infected machine if the local language is Russian.

Unlike the case of Locky, researchers have been able to able to construct a decryption tool for Jaff, distribution of which has declined since it was released in June.

Since then, the Necurs botnet has returned to distributing Locky, which might indicate that while they may experiment with other forms of cyber criminal activity, those behind Locky see it as a reliable tool to fall back on - because it works and generates revenue.

"Locky is an incredibly powerful and well developed piece of ransomware," says Adam Kujawa director of malware intelligence at Malwarebytes. "At the end of the day, the bad guys want to make money and they will use whatever software they can get their hands on to make that happen".

So while Locky is successful, those behind it are opportunistic and are constantly on the lookout for other means of making money - and if that means dropping Locky in favour of something else then so be it.

But for now, Locky remains successful - because if victims weren't still paying ransoms, the attackers would swiftly move onto something else. But 18 months on from the Hollywood Presbyterian Medical Center attack, it's still here and it's still successfully infiltrating networks.

Ransomware remains successful because it works, because enough people get infected after being duped by phishing emails and enough organisations will give in and pay the ransom fee in order to regain access to their systems - especially as there's still no decryption tool available.

Simply put, Locky keeps returning because it is successful. So the next time it appears to go silent, don't make any assumptions about the ransomware being dead - it's likely that it's just gone offline while those behind it work to make it even more effective.


Editorial standards