Locky ransomware was one of the most popular malware programs throughout 2016. 7 out of 10 malicious emails delivered Locky in Q2 of 2016, and by the end of Q4 97% of all phishing emails were distributing Locky. Strangely, however, the spread of Locky took a dramatic downturn in early 2017 and there hadn’t been a resurgence…until now.

7 in 10 malicious emails delivered Locky in the second quarter of 2016.

What is Locky Ransomware?


Locky is a crypto ransomware usually distributed by the Necurs Botnet (also known for distributing the Dridex banking trojan). Once installed on a computer, it automatically encrypts all files and demands a bitcoin ransom payment for decryption. Successful delivery of Locky ransomware relies on exploiting functions within Microsoft Word and Adobe reader.

Macro Infested Word Docs

Previously, Locky ransomware was almost exclusively delivered through Word documents containing macros (single coding instructions that automatically expand to perform specific tasks). Victims would receive a phishing email with an attached document, which once opened would reveal scrambled text. In either the document or email, the cybercriminal would include instructions on how to enable macros. Once the victim enabled macros to view the text properly, Locky ransomware would automatically deploy and begin file encryption.

PhishMe uncovered 129 distinct phishing campaigns in the first quarter of 2017.

Unfortunately for cybercriminals, the use of macros to deliver ransomware has gotten a lot of attention. Awareness of this delivery method has forced them to iterate and innovate their delivery methods.

New PDF Delivery Tactics

Now, cybercriminals are using PDFs instead of Word documents to deliver Locky ransomware. Victims receive a socially engineered phishing email that convinces them to open the attached PDF. Once opened, Adobe Reader requests the user’s permission to open a second document. This “second document” is a Word doc laden with macros, which the user is instructed to enable (just like the old method) claiming them as the next Locky ransomware victim.