A registry key is sufficient to be protected against an infection with the Locky ransomware, security researcher Sylvain Sylvain Sarméjeanne reports. The Locky ransomware was a lot in the news recently because it was rapidly spreading. According to some reports it infected more than 90,000 systems a day.
Sylvain Sarméjeanne analyzed the ransomware and found that Locky doesn’t encrypt files on computers which have Russian set as their language. Changing the language setting therefore prevents infection but obviously not everyone is able to work with a Russian language system. A registry hack is therefore a more workable solution.
Before Locky starts to encrypt files, it first checks some values in the Windows registry. After checking for the language settings, it tries to make a registry entry but when that key already exists, Locky terminates itself. If the key doesn’t already exist it’s created in HKCU\Software\Locky which can be prevented by not allowing anyone to change the key with ACL.
The ransomware also checks for other keys, such as ‘id’ which is an unique ID of the infected machine, a key called paytext, which is shown to inform the user about the ransom procedure and a simple key named ‘completed’ that if set to 1 tells the ransomware it already has done its job. If the ID key has a correct value and the completed key is set to 1, Locky will not start the encryption process.
Sarméjeanne has found a way to calculate the ‘id’ key, and even found other ways of making sure Locky doesn’t start itself. A full description can be found here.
“Locky has been wreaking havoc for many weeks but there exists very simple means to prevent files from being encrypted, without any anti-virus or security tool, provided that the system has been prepared for it”, Sarméjeanne concludes. However his measures will likely only work till the next iteration of the ransomware.