Locky ransomware being operated by the Dungeon Spider threat group

• Locky has been active since early 2016 and has since undergone several upgrades.
• Locky’s success has prompted cybercriminals to create new ransomware variants that masquerade as Locky - like PyLocky.

The notorious Locky ransomware, which emerged in early 2016 was developed and is currently being operated by a threat group known as Dungeon Spider. Throughout 2016 and 2017, Locky infected thousands of victims across the globe, rapidly rising to become one of the most successful ransomware variants to have ever emerged in the wild.

The ransomware has since undergone various upgrades, been operated by numerous cybercriminals and helped attackers rake in immense amounts of ransom in the form of both bitcoin and regular international currencies. Some Locky variants are capable of functioning offline.

Locky is a ransomware tool that encrypts files using a combination of cryptographic algorithms: RSA with a key size of 2,048 bits, and AES with a key size of 128 bits. Locky targets a large number of file extensions and is able to encrypt data on shared network drives,” CrowdStrike researchers said in a recent report. “In an attempt to further impact victims and prevent file recovery, Locky deletes all of the Shadow Volume Copies on the machine.”

Locky infections drastically dwindled in late 2017. However, Locky’s success has prompted cybercriminals to create new ransomware variants that masquerade as Locky. PyLocky, which was first discovered in September 2018 is an ideal example of this mimicry. Although PyLocky has no connection to either Locky or Dungeon Spider, the trend of cybercriminals attempting to recreate or somehow link new malware to old, successful ones suggests that cybercriminals constantly attempt to cash in on the notoriety of dominant threats.