Know Why Locky Ransomware Comes Back


As we all are too much familiar with the Locky Ransomware attack that infects Windows PC globally. In the game of cat and mouse between the malware creators and security providers, cyber hackers keep experimenting and innovating numerous variant of ransomware to victimized Windows user at wide range. From the security perspective, previous year means 2016 was all about the year of Locky Ransomware. Last year, in a single day malware researchers had detected 37 billion Locky emails that was responsible for attacking Windows System.

[Want To Know More About Locky Ransomware, Go To It’s Wikipedia Link –]

At the beginning of 2017, this variant of ransomware went quiet and aside from the brief revival of here and there but on the August, voila! Arrived and this ransomware has experienced a major resurgence which rapidly continues this day. Regarding the back of Locky Ransomware, a small story which shine the light on Darwinism of ‘malware marketplace’.

This year, when team of experts was trying to find out the reason why Locky Ransomware stopped then they found “Jaff Ransomware” in the month of May. This ransomware also belongs to the same gang of cyber hacker who are responsible behind the Dridex banking trojan and Locky Ransomware. To provide the quick background on the Jaff Ransomware, hackers spread it to full active on same week as WannaCry grabbing headline.

On May 12, the day before WannaCry Ransomware took off, team of security cloud had caught about 65 million emails of Jaff Ransomware that delivered by Necurs botnet. But due to high impact of WannaCry Ransomware, Jaff Ransomware got just only little attention. Although, it was spread by the same botnet as Locky Ransomware, it supposed that Jaff Ransomware had replaced Locky Ransomware. This ransomware has appeared as a new and improved Locky Ransomware in numerous ways such as “Locky 2”.

After looking at the Jaff Ransomware, we presume that the cybergang of Locky Ransomware was involved in innovating more and looking to go ‘upmarket’ both technically and financially. It asked victim for huge amount of ransom fee compared to the typical ransomware. It’s payload attachment was really more complex than the Locky Ransomware because it comes as a PDF containing work document with a malicious macros.


When Macros execute, it would download more malicious JavaScript and then download ransomware in “.exe” file format which is responsible for encrypting all files. It comes with in-built tactics to evade the detection. The email subjects and name of files were randomized and this ransomware reordered the actions of sequences that taken by PDF. The Word macro which usually set up the downloaded files and download link was sightly different in each variant.

Instead of the Jaff Ransomware taking the entire world by storm, it has disappeared. In the past two months when Locky Ransomware has reemerged with the new and improved variants including Diablo. Lucites and Ykcol Ransomware which started on the September 18th, 2017. According to the Cyren’s security cloud, over the 60 million emails of Ykcol that delivered by Necurs, has detected 15,000 different and unique “.lukitus” samples in just a single day.

A theory is “Locky is back” because Jaff Ransomware proved too much complex and cybergang decided to go back and upgrade the simpler model and prior proven rather than the insist on new platform. Because of the varying a three level structure and complexity of maintaining, they discovered several moving parts that facilitated the detection. With the disappearances of the Jaff Ransomware, cyber criminals of Locky Ransomware has gone upmarket. They demand 0.5 BTC to each System users to receive the decryption tool.

To Deal with Latest Ykcol Ransomware, You May Also Visit –

Leave a Comment

Your email address will not be published. Required fields are marked *