Site icon Panda Security Mediacenter

‘Locky’. How it works

data shield

We don’t know if you’ve heard of the new Ransomware which is called ‘Locky’…

It works as follows:

 

In fact, if we suspect that we have been attacked by Locky we can look for one of these files in our computer – if they’re there, then we know Locky has paid us a visit:

When the Word document that started the infection is opened, it downloads Locky, and what we have seen is that in all cases the malware comes from a legal website which has been compromised. It is there that the malware is stored. These are some of the URLs hosting malware:

The email that it comes attached in is the following:

In this case, the attached Word is called invoice_J-67870889.doc

Some of the variants that we have seen used PowerShell to carry out the downloading and running of Locky from the macro, with the rest of it being the same.

Exit mobile version