Locky ransomware virus spreading via Word documents

Updated 17th February 2016 at 1pm GMT

New updated story here: https://medium.com/@networksecurity/you-your-endpoints-and-the-locky-virus-b49ef8241bea#.pthlo2yk6

Monitoring Locky

I have intercepted one of the unregistered domain names, which has given me visibility of infected networks.


To recover your files you need to look for backups. If your backups are network based, you may have a problem as these may also be ransomed. I do not recommend paying ransoms.

Identifying infected network users

If you see .locky extension files appearing on your network shares, look up the file owner on _Locky_recover_instructions.txt file in each folder. This will tell you the infected user. Lock their AD user and computer account immediately and boot them off the network — you will likely have to rebuild their PC from scratch.


I strongly recommend you look into securing Microsoft Office in your environment. You can do this with half an hours work — if you fail to do this step, you will keep getting hit.

Technical details

Communication via hxxp://

Everything here is my personal work and opinions.

Everything here is my personal work and opinions.