Check Point Threat Alert: Locky Ransomware

Locky is a new type of ransomware which encrypts the victim’s files and then demands a ransom to be paid in bitcoins in order to decrypt these files. The main infection method is spam emails with an attached Word document that contains a malicious macro. The malicious macro runs a script which downloads the malware’s executable file, installs it on the victim’s computer, scans for files on the system and encrypts them.


  • A new ransomware, Locky, has recently emerged. This ransomware encrypts the files on an infected computer and demands a payment in the form of bitcoins in order to decrypt the files.
  • The ransomware attack is being spread by spam emails containing an attached word document, disguised as an invoice requiring payment. The attached Word document contains a malicious macro which is being executed following the user’s consent to enable macros. This macro then downloads the malware and installs it on the victim’s computer.
  • Current reported infection rates are between one to five computers every second. Approximately a quarter of million PCs were infected within three days.
  • Check Point analysts have noticed more than 55,000 logs and infection attempts for the Locky ransomware in the past few days.


Check Point Protections

  • Check Point SandBlast blocks malicious Locky documents based on behaviour. It blocked thousands of unique Locky files since Feb 1st.
  • Check Point IPS blade includes two IPS protections which will block Locky spam emails that contain malicious attachments and downloaders:
  • Check Point Anti-Bot network signature (Trojan-Ransom.Win32.Locky.A) is a post infection signature which blocks the communication with the Locky C&C server.
  • Check Point Anti-Virus blade includes more than 200 relevant Locky indicators for known malicious domains and files related to Locky.
  • Check Point Anti Bot blade includes more than 114 reputation signatures for known C&C servers of Locky.