Throughout the year, Forcepoint’s researchers been monitoring key milestones in Locky’s evolution; from its birth in February and the addition of virtual machine (VM) and analysis tool countermeasures in June, to its use of off line encryption in July and an intermediate downloader in September.

Locky is distributed through exploit kits on infected websites and emails via infected MS Office and ZIP file attachments. The ransomware seeks to encrypt any files it can find, usually with a “.locky” extension (newer variants use the .zepto, .thot and .zzzzz extensions), before demanding payment in Bitcoin.

Carl Leonard, Principal Security Analyst at Forcepoint:

Carl Leonard“Locky has been a growing menace in 2016. Its constantly changing distribution technique and functionality has been used to successfully extort many people’s money. In the face of continually evolving malware and ransomware strains it is important for businesses to stay vigilant and ensure they complement strong IT defences with security best practice. As always, it is important to back up and archive business critical data and only open email attachments from trusted or verified senders.”