Skip to main content

"Locky" Ransomware Makes People Pay to Get Their Data Back

A new wave of ransomware (malicious software that encrypts files for ransom) is being reported in the news and by some users within the Cornell community. This particular instance of ransomware, called "Locky," is currently being sent as a ZIP file attachment in email messages with the subject line similar to or including the following: "FW: Invoice Copy".

When users open the attachment, this ransomware encrypts popular file types (documents, images, music, videos, databases, etc.), rendering them unusable without the encryption key. A pop-window informs the user that files have been encrypted and demands a ransom payment to obtain the encryption key.

Files Connected via External/Cloud Storage are Also at Risk

Keep in mind that this potentially includes items that are not only on the computer’s internal storage, but any external storage connected to the computer at the time of the initial infection. This could include: USB drives, external hard drives, any file shares that the user is connected to over the network (think Z: or S: drive), and files connected to cloud services with local storage (like Box). 

Antivirus Is Not Catching All Variants

Both Microsoft System Center Endpoint Protection (SCEP) and Symantec Endpoint Protection (SEP) have reported on their websites that they are catching a few variations of ransom malware, but not all.

Strategies to Protect Cornell Data

  1. Make sure systems are backed up using an offsite backup service that makes use of version history. Cornell offers EZ Backup:
  2. Avoid attachments from unknown email senders. Be particularly wary of those with subject lines relating to “Invoices” if you are not expecting them. Practice extra caution with ZIP and other archive formats, as well as Microsoft Word, Excel, and Adobe PDF documents. If you receive messages like these, please contact department IT support, or the IT Security Office ( for assistance.
  3. If you are prompted to install updates, please either contact your department IT support for assistance, or if you administer your own computer, please directly visit a vendor’s website to download and apply an update (e.g., or open the application and check for updates, rather than clicking on any pop-ups.

Where to go with More Questions

If you have any follow up questions on this alert or about “Locky," please contact the IT Security Office by emailing or calling the IT Security Office Operations Line at 255-6664.

Was this page helpful?

Your feedback helps improve the site.