Locky does not hesitate encrypting files on any PC it has managed to compromise. In the case of landing into a network computer, the virus tries to reach every drive available in that network. The aim is obvious: the rogue tries to prevent access to as many items as possible. That makes it especially dangerous for corporate networks.
The infection has been propagating in the wild at varying intensity. Quiet conditions could last for long. They are always replaced with periods of increased activities.
The virus hits users worldwide. Observations reveal it may abstain from encrypting files for the computers registered in certain regions.
As the Locky virus is available as a service, its distributors may adjust malware behavior. The developers of this ransomware sell it to their affiliates. The infection is available at a number of darknet forums. Access to those forums is restricted, but basically, even kids manage to get there. It is but a matter of some simple tricks and persistence.
The forums offer the infection on pre-paid and affiliate conditions. There is also an option to adjust a range of presets determining the malware behavior. For instance, the virus anyway detects IP of the affected machine. A distributor of the infection may disable its installation for IP's corresponding to certain locations.
Distributors of Locky are also free to set the ransom amount, payment deadline, encryption details etc.
The ransom virus applies a complex scrambling algorithm. That involves generating a key. The key gets destroyed after having being used to encode data on the affected machine. Its only copy is available on the remote server.
Besides, the key applied to encrypt data may differ from that required to decrypt it. If that is the case, we deal with asymmetric encryption. The encryption key becomes useless in terms of decrypting the data.
Once Locky completes its encoding campaign, it issues a file with instructions for the victims. The users are prompted to purchase the decryption key. The key is to be purchased with Bitcoins. The transaction shall complete in TOR browser.
There is no guarantee the crooks are to provide the victims with the key. Too many intermediaries are involved, scrupulosity of each being very poor. Needless to say, transferring the ransom provides further incentives for the scam development.
Locky removal is recommended. However, it shall follow only after proper recovery campaign has completed. The suggestion is to stick to ransom-free methods.