How To Protect Your Device From Locky Ransomware

Locky ransomware is a nasty, but sophisticated attack that can cost you more than you may think. We’ll teach you how to remove Locky ransomware from your device and provide tips to avoid ransomware.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

Locky ransomware is a cyberattack that extorts money from unsuspecting victims. Starting with a phishing email, you’re tricked into downloading malware from an email attachment. Then, a trojan encrypts your device’s files until you make a ransom payment. But even if you choose to send the money, you may not get your files back.

In order to protect your data and your finances, you must prevent ransomware from infecting your device. That means familiarizing yourself with hacker techniques, being cautious when receiving files and emails, and using the best antivirus software.

We’ll dive into what Locky ransomware is, how to remove it from your device, and tips to protect yourself against ransomware.

In this article
What is Locky ransomware?
How does Locky ransomware work?
How to detect Locky ransomware on your device
How to remove Locky ransomware from your device
Tips to protect yourself against ransomware
Locky ransomware FAQs
Bottom line

What is Locky ransomware?

Locky ransomware is a cyberattack that relies on social engineering. Social engineering is an attack that uses your relationships to its advantage. Once your trust is established, it can be easy for cybercriminals to gain confidential information. Locky emails may show up in your inbox as an invoice that’s due, which makes you think it’s an attachment that’s safe to open. Thinking you need to pay a bill, you open the malicious attachment, which then infects your machine.

Locky ransomware is not new. The malware was first discovered in 2016, when it was used for an attack by a group of hackers. During this attack, Locky spread rampantly through phishing emails with infected attachments, which created 160 encrypted files. It even spread worldwide through North America, Europe, and Asia. One of the first targets was a Los Angeles hospital, which paid a $17,000 ransom.

How does Locky ransomware work?

Locky ransomware mainly attacks Windows devices. It begins with the Necurs botnet, which pushes out phishing emails that trick people into downloading malware. Once that happens, you end up with a trojan that encrypts files and then demands ransom money for their decryption. Millions of spam emails get distributed with Microsoft Word documents.

Once you open the attachment, it’ll prompt you to enable Word macros so the attachment contents can be displayed. But after enabling those macros, a malicious script will install the Locky ransomware on your device.

It’s easy to see how Locky ransomware can spread quickly from one person to another. You might not be suspicious of the email because the attachment is reported to be something like an invoice or a common file that doesn’t raise any flags. Once the files are encrypted, Locky changes encypted filenames and file extensions change to other file types like .aesir, .odin, and .osiris (all of which are versions of Locky).

One of the only functions you can still perform is to interact with the hackers, who demand a ransom for the release of your files or operating system. Typically, the goal is to lock you out of your device. Once that’s in place, you’ll get a plaintext message letting you know your files are encrypted, and there will be a ransom note explaining the steps you must take to get your locked files back.

Hackers may ask you to use Tor Browser and then visit their website on the dark web. There, you’ll receive more details about how to pay the ransom. Often these cybercriminals will want you to pay with cryptocurrency like bitcoin in exchange for the encryption key to unlock your important files.

Locky variants

There are several versions of Locky ransomware that you should be aware of:

  • PowerLocky: This type combined Locky and fileless PowerWare ransomware and used phishing emails to infect files.
  • Diablo: Diablo used the files extension .diablos6 to encrypt files. Its spam emails contained ZIP attachments and used more advanced methods to avoid detection.
  • Zepto: Zepto emerged in 2016 and used the same techniques as Locky, sending emails that were personalized with the victim’s first name and ZIP attachments.
  • Odin: Odin came after Zepto, following Locky’s behaviors with spam campaigns directed at people in the U.S.
  • Osiris: Osiris introduced a new encryption algorithm that made it harder to track and shut down the infection. It also attacked Android and macOS along with Windows.
  • Thor: First identified in 2017, Thor used code obfuscation to make detection harder for cybersecurity researchers. This is where an executable that’s no longer useful gets modified to hide malware.

How to detect Locky ransomware on your device

Sometimes even the best antivirus software can miss malware on a device. The best way to spot Locky ransomware is to become good at learning hackers’ techniques. You must know what to look for when receiving phishing emails or social engineering attacks.

If you get emails from random people or email addresses, don’t open them. It’s especially crucial not to open unknown attachments. These infected attachments may be disguised as critical documents or invoices to give you a sense of urgency. Don’t fall for it.

Also, pay attention to the language. Many of these emails will have bad grammar and be formally addressed to the recipient, like “Dear Sir/Madam.” Some emails may not have anything other than a subject line and the infected attachment.

How to remove Locky ransomware from your device

If you’re unfortunate enough to get Locky ransomware on your device, you may feel frustrated and overwhelmed. While it can produce some understandable anxiety, the good news is that you can remove ransomware by taking the following steps:

  1. Open your trusted antivirus software.
  2. Choose the Full Scan option to search all of your files.
  3. Remove any threats that are found.

Your antivirus software may be able to remove Locky from your device, but it cannot restore your data. To restore your data, your best bet is a decryption tool, which can scan your device to find the files on your hard drive. Unfortunately, there isn’t a foolproof method for releasing Locky’s encryption.

Best antivirus to protect yourself against ransomware

One of the simplest ways to protect yourself against future ransomware is to have the best malware removal tools at your disposal before things go sideways. If you aren’t sure where to start, here are some antivirus software recommendations:

  • Norton: Norton is a popular antivirus that comes with plenty of additional security features, like a password manager and a virtual private network (VPN).

    Get Norton | Read Our Norton Review

  • TotalAV: TotalAV is an affordable antivirus option that’s easy to download, install, and begin using immediately.

    Get TotalAVRead Our TotalAV Review

  • McAfee: McAfee is great for people who want excellent security protection with extras like identity monitoring, personal data cleanup, and a VPN.

    Get McAfee | Read Our McAfee Review

Enjoy Norton’s 100% Virus Protection Promise
Editorial Rating
Learn More
On Norton 360 Antivirus's website
Antivirus Software
Norton 360 Antivirus
Save up to 58% your first year
  • 4 plans available, all including antivirus, malware, ransomware, and hacking protection, Cloud backup, and a secure password manager
  • Option to add VPN connection, dark web monitoring, privacy monitoring, and more
  • Available for up to 10 devices depending on plan
  • Multi-tab navigation may be overwhelming at first

Tips to protect yourself against ransomware

You shouldn’t feel like ransomware is an eventuality that happens to everyone. With some planning, you can prevent ransomware from invading your device. Below are some practical tips you can use to keep those devious hackers away from your data.

  • Use antivirus software: The first line of defense from any malware is to have a solid antivirus that will scan your device for anything suspicious.
  • Know ransomware methods: Remember that the typical way ransomware gets distributed is through social engineering and email phishing.
  • Keep software updated: Your operating system and software routinely send updates that may help patch known security issues.
  • Only download from safe sources: Never open or download attachments from unknown people or addresses.
  • Back up your files: Any important data should get backed up frequently to the cloud or another storage modality that’s not accessible from your device.
  • Use a firewall: A firewall monitors incoming and outgoing traffic and blocks unauthorized users.
  • Enable spam filters: These filters can decrease malicious emails and improve your email security.
  • Disable macro scripts: Since most Locky attacks used malicious macros to distribute the ransomware, you can configure your Microsoft Office suite to disable them. If you decide to enable any macros, only do so from formats you trust and make sure to verify their legitimacy.

Locky ransomware FAQs


Is Locky ransomware still active?

Locky ransomware is no longer active, but there are plenty of ransomware methods to take its place. Learning how to spot ransomware is still necessary to protect your data and keep you from becoming a target for ransomware in the future.


What is an example of Locky ransomware?

One example of Locky ransomware is the 2016 attack on a hospital in Los Angeles, when hackers demanded and received $17,000 to resolve the hack. More healthcare institutions were attacked after that event.


What can you do to protect yourself from Locky ransomware?

There are several things you can do to protect yourself from Locky ransomware, like using antivirus software and becoming knowledgeable about the methods hackers use to infect your device.

Bottom line

By installing the best antivirus software for your needs and knowing how these hackers operate, you’ll be prepared when and if ransomware comes your way. Staying familiar with all the current social engineering techniques will help you avoid phishing emails and fake websites. Remember to download attachments only from known sources and don’t open emails from senders you don’t know.

The most important takeaway here is that you’re not helpless when it comes to any type of ransomware. We want to put you in the driver’s seat with actionable steps you can take to prevent these cybercriminals from successfully attacking your device. Ransomware attacks will come in all shapes and sizes to throw you off, but with the tips in this article, you’ll be way ahead of any hacker’s techniques.

Online Protection With VPN Access and Identity Monitoring
Editorial Rating
Learn More
On McAfee's website
Save $90 on a 2-year plan
  • Inclusive antivirus, scam, and web protection with the added privacy of a VPN, identity monitoring, and secure password manager
  • Get a real-time Protection Score that measures your online safety and offers guidance to improve security
  • Added peace of mind with 24/7 expert online support and McAfee’s Virus Protection Pledge
  • Multiple pop-ups for text notifications can be annoying

Author Details
Patti Croft is a seasoned writer who specializes in all things technology. She holds a B.S. in Computer Science and carries a wealth of hands-on experience thanks to her background as a technical analyst and security specialist.