https://afritechnet..com/2016/03/introducing-locky-ransomware.html

Businesses and individuals are being sent an email with a Microsoft Word attachment. The email claims that the attached document is an invoice or vital executable macro program. In reality the illegible ‘invoice’ and macro is a conduit for the infamous ransomware known as ‘Locky’ . Locky relies on social engineering more so than any great technical ingenuity to infect systems by advising the reader to enable macros so as to view the content of the attached document. Locky has successfully infected hundreds of computers in a number of European nations, Russia, the US, Pakistan, and Mali.

Once installed, Locky scans local drives (and networked drives) and encrypts files such as documents, images, music, videos, archives, database, and other web application-related files. Encrypted files are renamed and appended with a “.locky” extension. In a manner similar to other ransomware variants, a .txt file (_Locky_recover_instructions.txt) in numerous languages is left in every infected directory. The message directs victims to a Tor network to make payment in Bitcoins (0.5 BTC, roughly equal to $210).



How to protect against Locky

Locky has some weak points, apparently by design. For example, it won't execute on a computer that has its language settings set to Russian, which probably gives an approximate region of where its authors are located.

Locky tries to create registry key called "HKCU\Software\Locky. Locky will stop running if that key is created prior to infection.

Ransomware authors quickly improve their code, particularly after security researches publish weaknesses. Microsoft has taken steps to ensure that fewer people fall prey to macro-based infections.

https://afritechnet..com/2016/03/introducing-locky-ransomware.html