Last month, reports emerged that the Locky, an deadly ransomware, which made headlines in 2016 might strike again anytime and now it looks like, has made its way into India.

State-run Indian Computer Emergency Response Team (CERT-In) has issued an advisory that Locky ransomware is spreading fast in India and warned the citizens not to open any emails with attachments from unknown senders.

Also read: Ransomware effect: Google testing 'Panic button' feature in Android to instantly kill malware-ridden apps; all you need to know

CERT-In has come to know that over 23 million messages have been sent in this campaign. The messages contain common subjects like "please print", "documents", "photo", "Images", "scans" and "pictures". However, the subject texts may change in targeted spear phishing campaigns.

"The messages contain "zip" attachements with Visual Basic Scripts (VBS) embedded in a secondary zip file. The VBS file contains a downloader which polls to domain "greatesthits[dot]mygoldmusic[dot]com" (please do not visit this malicious website) to download variants of Locky ransomware," CERT-In warned.

If the system is infected by Locky all files are encrypted and string with random numbers with extension "[.]lukitus" or "[.]diablo6" is appended to the encrypted files. It may be noted that earlier variants of Locky add extension ".locky" to the encrypted files.

"After encryption, desktop background is changed with instructions and a "htm" file with a name "Lukitus[dot]htm". The instructions contain installation of TOR browser and visiting ".onion" sites and demanding ransom of ".5 Bitcoins," CERT-In added.

It is also reported that a spam campaign showing links to fake dropbox sites is being used to spread Locky variants.

Locky ransomware, how to protect PCs from malware
[Representational Image] Deadly Locky ransomware looms large on India; here's how to protect your PCs. In Picture: Malware detectionCreative Commons

If the pages are viewed in Chrome or Firefox, they show a fake notification stating "you don't have the HoeflerText font". These fake notifications had an "update" button that returns a malicious JavaScript (.js) file.

Read more: Locky ransomware: All you need to know

What makes Locky malware more deadly compared to others is that it is capable of understanding the sensitivity of the hacked files and set an individual price-tag for particular data and earn high-value ransom in quick time.

Cyber Attack Alert: Deadly Locky ransomware looms large on India; here's how to protect your PCsAjay Kumar (@drajaykumar_ias) via Twitter

So far, Locky malware creators are said to have extorted more than $7.8 million in payments from victims.

Here's how to protect your PCs from ransomware and malwares:

  • Always keep your PCs updated with latest firmware; most software companies including Microsoft and Apple usually send software updates regularly in terms of weekly or monthly, always make sure to update them immediately
  • Make sure to use premium Anti-virus software, which also provides malware protection and Internet security
  • Never ever open email sent from unknown senders
  • Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.
  • Disable remote Desktop Connections, employ least-privileged accounts. Limit users who can log in using Remote Desktop, set an account lockout policy. Ensure proper RDP logging and configurations
  • Never ever install plugins (for browsers) and application softwares on the PCs from un-familiar publishers
  • System administrators in corporate companies should establish a Sender Policy Framework (SPF) for theri domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.

Additional security measures that may be considered by system administrators:

  • Use RDP Gateways for better management
  • Change the listening port for Remote Desktop
  • Tunnel Remote Desktop connections through IPSec or SSH
  • Two-factor authentication may also be considered for highly critical systems

Also read: Here's US Homeland Security and FBI-approved steps to improve cybersecurity

List of malicious domains/IPs that are hosting Locky ransomware:

  • greatesthits[dot]mygoldmusic[dot]com
  • files with extension " [.]lukitus" or "[.]diablo6"
  • file Win[.]JSFontlib09[.]js
  • hxxp://[.]id/657erikftgvb??pGDIWEKDHD=pGDIWEKDHD
  • Locky ransomware post-infection URL: hxxp://

Fake dropbox sites:

  • hxxp://[.]uk/dropbox.html
  • hxxp://ambrogiauto[.]com/dropbox.html
  • hxxp://arthurdenniswilliams[.]com/dropbox.html
  • hxxp://autoecoleathena[.]com/dropbox.html
  • hxxp://autoecoleboisdesroches[.]com/dropbox.html
  • hxxp://autoecoledufrene[.]com/dropbox.html
  • hxxp://avtokhim[.]ru/dropbox.html
  • hxxp://bayimpex[.]be/dropbox.html
  • hxxp://binarycousins[.]com/dropbox.html
  • hxxp://charleskeener[.]com/dropbox.html
  • hxxp://campusvoltaire[.]com/dropbox.html
  • hxxp://dar-alataa[.]com/dropbox.html
  • hxxp://[.]uk/dropbox.html
  • hxxp://gestionale-orbit[.]it/dropbox.html
  • hxxp://griffithphoto[.]com/dropbox.html
  • hxxp://jakuboweb[.]com/dropbox.html
  • hxxp://jaysonmorrison[.]com/dropbox.html
  • hxxp://patrickreeves[.]com/dropbox.html
  • hxxp://potamitis[.]gr/dropbox.html
  • hxxp://tasgetiren[.]com/dropbox.html
  • hxxp://willemshoeck[.]nl/dropbox.html

For more information on updated list of latest malious URLs, check HERE.

Follow us @IBTimesIN_Tech on Twitter for latest news on cyber security and more.