“Locky” ransomware – what you need to know

“Locky” ransomware – what you need to know

“Locky” is the nickname of a new strain of ransomware, so-called because it renames all your important files so that they have the extension .locky.

Of course, it doesn’t just rename your files, it encrypts them first, and – as you probably know about ransomware – only the crooks have the decryption key.

You can buy the decryption key from the crooks via the so-called dark web.

The prices we’ve seen vary from BTC 0.5 to BTC 1.00 (BTC is short for “bitcoin,” where one bitcoin is currently worth about $400/£280).


The most common way that Locky arrives is as follows:

  • You receive an email containing an attached document (Troj/DocDl-BCF).
  • The document looks like gobbledegook.
  • The document advises you to enable macros “if the data encoding is incorrect.”


  • If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it.
  • The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the crooks.
  • The final payload could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW).

Locky scrambles all files that match a long list of extensions, including videos, images, source code, and Office files.

Locky also removes any Volume Snapshot Service (VSS) files, also known as shadow copies, that you may have made.

Shadow copies are the Windows way of making live backup snapshots without having to stop working – you don’t need to logout or even close your applications first – so they are a quick and popular alternative to a proper backup procedure.

Once Locky is ready to hit you up for the ransom, it makes sure you see the following message by changing your desktop wallpaper:


If you visit the dark web page given in the warning message, then you receive the instructions for payment that we showed above.

Unfortunately, so far as we can tell, there are no easy shortcuts to get your data back if you don’t have a recent backup.

Remember, also, that like most ransomware, Locky doesn’t just scramble your C: drive.

It scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X or Linux.

If you are logged in as a domain administrator and you get hit by ransomware, you could do very widespread damage indeed.

Giving yourself up front all the login power you might ever need is very convenient, but please don’t do it.

Only login (or use Run As...) with admin powers when you really need them, and relinquish those powers as soon as you don’t.


  • Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. ADECS can provide you with an encrypted Off-site backup service if you do not already have one in place. Contact Us for more information
  • Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
  • Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
  • Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.
  • Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake!
  • Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.
  • Mail Filter. Make sure your mail protection solution is blocking macro-enabled documents and .js scripts
Fred Noble 8/6/36 – 23/3/16

Fred Noble 8/6/36 – 23/3/16

It is with a heavy heart that we bring you the sad news that Fred Noble, the founder of ADECS Ltd, passed away yesterday.

As well as still being a non exec chairman of ADECS, Fred was the Chair of the UK IT Association (UKITA), and had been a founder member since 2000.

Fred joined IBM as a Service Engineer in 1960 and worked in Hardware Support, Software Support, HR and the Software Product Development. In 1990 Fred left IBM to set up his own business – ADECS Ltd – with the aim of providing technical support, products and guidance to small businesses. Amrik Bhabra, Chief Executive of ADECS, will always be grateful for the amazing opportunities based on trust and instinct that Fred gave him. That ethos of ADECS giving people a chance to shine and show what they are capable of, still runs true today.

Fred always knew how to tackle any issue from all aspects and angles, He always had wise advice to give and won respect from people around him. He also had a knack of motivating people and was always supportive. He considered himself to be a ‘Jack of all Trades’.

In recent years Fred dedicated his time and energy to looking after his wife Pat. Never one to complain, he got on with whatever life threw at him. We send Pat and the family our deepest sympathies at this tough time. Fred will be dearly missed and we draw comfort from the fact that in ADECS his legacy will live on.


Business Leaders ‘Go for Growth’

Business Leaders ‘Go for Growth’

Business Leaders across Coventry and Warwickshire are backing the Chamber’s Go For Growth campaign. The idea for the campaign follows the Chamber’s final Quarterly Economic Survey of 2015 which suggested businesses in the region were at their most positive at the turn of any year for over a decade,

However, the Chamber believes that there are obstacles to growth that could hold back companies from growing. These barriers have been split into six categories and the Chamber will be engaging with local authorities, MPs, ministers, business groups and other key bodies to help tackle them. The six categories are listed as skills, infrastructure, property & land, identity, international trade and finance.

C&W in Business Issue 51 February/March 2016

Is the UK failing in the war against Cybercrime?

Is the UK failing in the war against Cybercrime?

Over the past five years, the UK government has spent £1 billion in a bid to help the country’s overall levels of cyber-security. However, according to the Director of Cyber Security and Resilience at CESG, Alex Dewedney, the measures have proven to be rather ineffective. ‘I think the best way to sum up the challenge we face is that, while we’ve done a lot over the past five years and spent quite a lot of money as a government, particularly in those years of austerity we’ve been through, the bottom line is it hasn’t worked,’ he said.

CESG is part of GCHQ – the people who advise organisations on how to defend against threats. The GCHQ is apparently concentrating on improving communication and making sure businesses are informed about the latest threats. Instead, Dewedney argues, the government needs to spend money on fixing legacy IT issues which stand as gaping holes ready to be exploited. He feels that these are the basic measures that are being ignored, and that they need to be sorted out before moving on to more sophisticated defensive measures.

It is thought that reported security breaches are the tip of the iceberg, with the major issues going unreported. That is, of course because the affected business fears the damage that will be done to its reputation.

World of Tech  8th March 2016