Cybersecurity Alert: Locky Ransomware Returns With New Variants

August 18, 2017

Threat Summary

Locky, which has been one of the first and most successful forms of ransomware historically, has returned with new variants, Diablo and Lukitus. The email-based campaign started earlier this month and thus far has infected tens of thousands of people.

The ransomware sends emails containing malicious PDF attachments with embedded .DOCM files. This ransomware has been particularly effective given that files embedded within PDFs are not inspected by all mail filters by default. If the user opens the embedded file and enables macros as instructed, they will receive a message indicating that their files have been encrypted and they must pay a ransom in order to get their data back from the attackers' server.

For more information, see:

ACA Aponix Guidance

We recommend taking the following precautionary measures:

  • Ensure spam filters are inspecting files embedded within PDF files
  • Block .DOCM inbound emails
  • Set Microsoft Office Trust Center settings to disable or force prompt for macros
  • Train users using macro-based phishing tests
  • Back up your data regularly to WORM storage

If you have any questions, please contact your ACA Aponix consultant or email us at