Locky encrypts your data and completely changes the filenames

When Locky is started it will create and assign a unique 16 hexadecimal number to the victim and will look like F67091F1D24A922B. Locky will then scan all local drives and unmapped network shares for data files to encrypt. When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

Affecting file types

Locky malware can encrypt 164 file types that can be broken down into 11 categories:

Office/Document files (62x):

.123, .602, .CSV, .dif, .DOC, .docb, .docm, .docx, .DOT, .dotm, .dotx, .hwp, .mml, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .pdf, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .PPT, .pptm, .pptx, .RTF, .sldm, .sldx, .slk, .stc, .std, .sti, .stw, .sxc, .sxd, .sxi, .sxm, .sxw, .txt, .uop, .uot, .wb2, .wk1, .wks, .xlc, .xlm, .XLS, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml

Scripts/Source codes (23x):

.asm, .asp, .bat, .brd, .c, .class, .cmd, .cpp, .cs, .dch, .dip, .h, .jar, .java, .js, .pas, .php, .pl, .rb, .sch, .sh, .vb, .vbs

Media files (20x):

.3g2, .3gp, .asf, .avi, .fla, .flv, .m3u, .m4u, .mid, .mkv, .mov, .mp3, .mp4, .mpeg, .mpg, .swf, .vob, .wav, .wma, .wmv

Graphic/Image files (14x):

.bmp, .cgm, .djv, .djvu, .gif, .jpeg, .jpg, .NEF, .png, .psd, .raw, .svg, .tif, .tiff

Database files (14x):

.db, .dbf, .frm, .ibd, .ldf, .mdb, .mdf, .MYD, .MYI, .odb, .onenotec2, .sql, .SQLITE3, .SQLITEDB

Archives (11x):

.7z, .ARC, .bak, .gz, .PAQ, .rar, .tar, .bz2, .tbk, .tgz, .zip

CAD/CAM/3D files (8x):

.3dm, .3ds, .asc, .lay, .lay6, .max, .ms11, .ms11 (Security copy)

Certificates (5x):

.crt, .csr, .key, .p12, .pem

Virtual HDD (4x):

.qcow2, .vdi, .vmdk, .vmx

Data encryption (2x):

.aes, .gpg

Virtual currency (1x):


Because the file type range is very wide, this malware can also affect a large number of businesses.

Locky encrypts files on all fixed drives, removable drives and also on RAM disk drives. Remote drives are not affected.

Furthermore, Locky will skip any files where the full pathname and filename contain one of the following strings:

tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows

When Locky encrypts a file it will rename the file to the format [unique_id][identifier].locky. So when test.jpg is encrypted it would be renamed to something like F67091F1D24A922B1A7FC27E19A9D9BC.locky. The unique ID and other information will also be embedded into the end of the encrypted file.

It is important to stress that Locky will encrypt files on network shares even when they are not mapped to a local drive. As predicted, this is becoming more and more common and all system administrators should lock down all open network shared to the lowest permissions possible.

As part of the encryption process, Locky will also delete all of the Shadow Volume Copies on the machine so that they cannot be used to restore the victim’s files. Locky does this by executing the following command:

vssadmin.exe Delete Shadows /All /Quiet

In the Windows desktop and in each folder where a file was encrypted, Locky will create ransom notes called _Locky_recover_instructions.txt. This ransom note contains information about what happened to the victim’s files and links to the decrypter page.

Locky will change the Windows wallpaper to %UserpProfile%\Desktop\_Locky_recover_instructions.bmp, which contains the same instructions as the text ransom notes.

Locky Wallpaper

Last, but not least, Locky will store various information in the registry under the following keys:

  • HKCU\Software\Locky\id — The unique ID assigned to the victim.
  • HKCU\Software\Locky\pubkey — The RSA public key.
  • HKCU\Software\Locky\paytext — The text that is stored in the ransom notes.
  • HKCU\Software\Locky\completed — Whether the ransomware finished encrypting the computer
One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.