Ransomware – A Simple ‘Pay or Loose Everything’ Game

Ransomware is nothing new in the malware world. The devastation it has caused in last few years is beyond one’s imagination. Well, It all started back in 1989 when a guy named Joseph Popp authored the first ransomware named “AIDS” who was declared mentally unfit when he was caught and was made to stand on trial.

Well, The idea was simple which still holds true that somehow you make the victim to run the malware which makes sure the files in the storage drives become unusable. And, then a considerable amount of money is proposed by the attacker which needs to be paid by the victim to make those files accessible again.


In year 2013, a big sum of around 250,000 samples were detected by McAfee in just first quarter. And, it’s not over yet. Every year, one can hear 1 out 10 people who uses computer has seen himself or his friend got affected by this malware.

Let’s talk about one of the most popular ransomware in red alert these days. Yes, if you already know the name of the ransomware before moving forward, you are a true security analyst. It’s none other than LOCKY.

Locky – Just a heads up!!

Release Date

Feb 2016

Infected Systems

Windows XP, 7, Vista, 8, 10


 The victim have his files residing in drives encrypted into .locky extension files and a ransom of some bitcoin is demanded to recover them back to original.


 This ransomware once executed by victim starts its execution by scanning all the files in local and network drives and set pre-defined extensions only as its target and then, encrypts them using AES encryption algorithm.

Locky Decryptor Page

Once the job is done, the desktop wallpaper is changed to different image which contains a note about the instructions that are needed to be followed by victim in order to get his files back decrypted. It also changes the default page of your browser with similar ransom note. One of the step in the note asks the victim to go through the given tor hosted link which contains all the details to pay ransom on malware sender’s bitcoin address. Once payment is done and confirmed by the sender, the same page will appear with a download link to the decrypter.


Victim has to pay the ransom. There is no other choice if you really want your files back. Though, there are few precautions that you can take:

  1. Always have a backup whether it’s online or offline
  2. Learn to keep Shadow Volume Copies. Locky doesn’t act on them.

One of the latest example can be seen here:


A JS Sample : https://malwr.com/analysis/Y2Y4NDNhYmFlMjYxNDI0NGEwMjliYTY3NDc2ZmU4NmU/

A doc Sample : https://malwr.com/analysis/ZGZmMmJhZGYwMzBlNDIxZGEzZjE5ZDhjYzcyODYyMTE

Virustotal Analysis Result


Related Posts

Leave a Reply

Your email address will not be published.