Locky Ransomware: Back in Action with a New Delivery Method

Locky ransomware was one of the most popular malware programs throughout 2016. 7 out of 10 malicious emails delivered Locky in Q2 of 2016, and by the end of Q4 97% of all phishing emails were distributing Locky. Strangely, however, the spread of Locky took a dramatic downturn in early 2017 and there hadn’t been a resurgence…until now.

7 in 10 malicious emails delivered Locky in the second quarter of 2016.

What is Locky Ransomware?

Locky is a crypto ransomware usually distributed by the Necurs Botnet (also known for distributing the Dridex banking trojan). Once installed on a computer, it automatically encrypts all files and demands a bitcoin ransom payment for decryption. Successful delivery of Locky ransomware relies on exploiting functions within Microsoft Word and Adobe reader.

Macro Infested Word Docs

Previously, Locky ransomware was almost exclusively delivered through Word documents containing macros (single coding instructions that automatically expand to perform specific tasks). Victims would receive a phishing email with an attached document, which once opened would reveal scrambled text. In either the document or email, the cybercriminal would include instructions on how to enable macros. Once the victim enabled macros to view the text properly, Locky ransomware would automatically deploy and begin file encryption.

PhishMe uncovered 129 distinct phishing campaigns in the first quarter of 2017.

Unfortunately for cybercriminals, the use of macros to deliver ransomware has gotten a lot of attention. Awareness of this delivery method has forced them to iterate and innovate their delivery methods.

New PDF Delivery Tactics

Now, cybercriminals are using PDFs instead of Word documents to deliver Locky ransomware. Victims receive a socially engineered phishing email that convinces them to open the attached PDF. Once opened, Adobe Reader requests the user’s permission to open a second document. This “second document” is a Word doc laden with macros, which the user is instructed to enable (just like the old method) claiming them as the next Locky ransomware victim.


Screenshot of Adobe Reader asking for additional permissions.



Screenshot of Microsoft Word asking the user to enable macros.


The simple action of adding the PDF step is enough to trick previously trained employees into falling for the attack. Plus, this simple variation makes it difficult for email filtering systems to detect the attack.

Defend Against Locky Ransomware with Vade

The only way to defend against this evolving threat is with advanced email protection. Our AI-backed software can detect both known and unknown ransomware variants. With our layered protection method, we analyze the text, the sender, and the attachment’s content in every email, ensuring emails are safe before they enter your employees’ inboxes.

Our solution uses:

  • Fingerprint analysis: to quickly identify and remove known threats using two separate anti-virus scanners
  • Behavioral Analysis: our AI looks for subtle stylistic and behavioral indicators that may be coming from harmful emails, URLs, or attachments
  • Technical Analysis: assesses the real endpoint of every URL and the content within every attachment
  • Inbound Filtering: automatically deletes emails coming from known email malware and phishing signatures
  • Identity Verification: sender identity is verified against your contacts to ensure that the email is coming from a legitimate source

Our advanced email security suite has successfully detected every variant of Locky ransomware and CryptoLocker over the past several years with 100% accuracy.

The Vade advanced email security suite protects your organization from all types of cyber threats. Cyber security training only goes so far; Vade can strengthen your defenses against ransomware, spear phishing, and zero-day attacks.

Think that the Vade advanced email security suite might be the solution for you? Contact us today for a demo or proof of concept.