Recent Ransomware Variant - Locky

Number: AL16-005
Date: 1 April 2016


The Canadian Cyber Incident Response Centre (CCIRC), in collaboration with the United States Department of Homeland Security (DHS) Computer Emergency Readiness Team (US-CERT) is releasing this Alert to provide further information on a recent ransomware variant named Locky. Since early 2016, Locky has been observed infecting computers belonging to individuals and businesses, including healthcare facilities and hospitals worldwide.


CCIRC is aware of a destructive ransomware variant named Locky which has been observed since early 2016. This form of destructive ransomware attempts to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user's computer has been locked or that all of the user's files have been encrypted. Users are then told that unless a ransom is paid, access will not be restored.

Locky ransomware propagates through spam emails that include malicious Microsoft Office documents or compressed archive attachments, such as .zip and .rar.  The malicious attachments contain macros or JavaScript files to download Ransomware-Locky files. Locky has affected computers belonging to individuals and businesses, including healthcare facilities and hospitals in the United States, New Zealand, Germany, and Canada. Other destructive ransomware variants have also emerged in 2016, such as Samas, which is used to compromise the networks of healthcare facilities. See the reference section below for more information.

Ransomware is typically spread either through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website. Malware is downloaded and installed without the user's knowledge. Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and also has been spread through Web-based instant messaging applications.

Ransomware not only targets home users; businesses can also become infected with ransomware, which can have negative consequences, including:

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim's money, and in some cases, their banking information as well. In addition, decrypting files does not mean the malware infection itself has been removed.

Suggested action

CCIRC recommends that organizations review the following mitigation information/preventive mesures and consider their implementation in the context of their network environment:

It is important to note that infections can be devastating to an individual or organization, and that recovery can be a difficult process which may require the services of a reputable data recovery specialist.


US-CERT Alert (TA16-091A)

CCIRC Cyber Safe Guide

McAfee Labs Threat Advisory: Ransomware - Locky

Sophos / Naked Security, “Locky” ransomware – what you need to know

Symantec Article - Cryptolocker: A Thriving Menace

Samas - SamSam: The Doctor Will See You, After He Pays The Ransom

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589

Date modified: