You may have seen reports of the Locky malware circulating the web; we think this is a good time to discuss its distribution methods, and reiterate some best-practice methods that will help prevent infection.
We’ve seen Locky being distributed by spam email, not in itself a unique distribution method, but this means that spreading is broad and not isolated to any particular region. This ransomware knows no borders, and we’ve seen high infection rates across the world.
The Locky email attachment usually arrives as a Word document, but could also be an Excel document, that appears to be an invoice. We’ve also seen the following downloaders distribute Ransom:Win32/Locky.A:
If you open this file and allow the macro to run, the malware is downloaded and runs on your PC, encrypting your files. A ransom message is then displayed demanding payment in order to unlock your encrypted files. Note that once your files are encrypted, the only guaranteed way to restore them is from backup
. Microsoft does not recommend you pay the ransom; there is no guarantee that this will give you access to your files.
While Microsoft detects and removes Locky, we recommend you disable macros to help prevent this and other macro-downloaded threats from infecting your PC, and then only enable macros that you trust, on a case-by-case basis. To help keep your enterprise secure, consider using a trusted location for files in your enterprise, then you can store documents that require macros there. You can also use our cloud protection services to help boost your protection; this, and other advice on how to help keep your PC protected are outlined below.