Please note the Locky delivery email is translated to various languages, and localised per region.

I am seeing around 4000 new infections per hour (from one of many domain names used by the software), or approximately 100,000 new infections per day (on the 3rd day of distribution). Because I can only see a portion of the traffic I believe the real numbers will be higher. The amount of connections (which occur on encryption) are vast and suggest this is a highly successful and damaging attack.

Recovery

To recover your files you need to look for backups. If your backups are network based, you may have a problem as these may also be ransomed. I do not recommend paying ransoms.

Identifying infected network users

If you see .locky extension files appearing on your network shares, look up the file owner on _Locky_recover_instructions.txt file in each folder. This will tell you the infected user. Lock their AD user and computer account immediately and boot them off the network — you will likely have to rebuild their PC from scratch.

Prevention

I strongly recommend you look into securing Microsoft Office in your environment. You can do this with half an hours work — if you fail to do this step, you will keep getting hit.

Technical details

Communication via hxxp://195.64.154.14/main.php

Attempt to contact domains xfyubqmldwvuyar.yt, luvenxj.uk, kpybuhnosdrm.in, dkoipg.pw - these currently aren’t registered.

Creates registry key HKEY_CURRENT_USER\Software\Locky

Payload SHA256 17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2 - Sophos will later today detect as Troj/Ransom-CGR

Dropper SHA256 97b13680d6c6e5d8fff655fe99700486cbdd097cfa9250a066d247609f85b9b9 - Sophos will later today detect as Troj/DocDl-BAI