Hello everyone and welcome to ZD Tech, ZDNet’s daily editorial podcast. My name is Louis Adam and today I’m going to tell you the story of Locky, this ransomware that attacked French Internet users in 2016.
Back then, ransomware didn’t get the media attention it gets today. But this type of malware, which encrypts files on a machine and then demands a ransom, is starting to grow. Among the representatives of this new threat, one name stands out at the beginning of 2016: Locky.
At the beginning of this year, many booby-trapped emails containing a malicious attachment are detected. Recipients who are unlucky enough to open it are infected with Locky ransomware, which demands a ransom in bitcoin. Locky is distributed in many countries, but its operators do not hesitate to use trick e-mails adapted to their targets, for example by imitating fake Free Mobile invoices in France.
$7.8 million in loot
And Locky’s victims are many, ranging from simple individuals and small businesses to larger organizations like US hospitals. At that time, there was no question of stratospheric amounts for ransoms: the sums extorted by Locky were more in the hundreds of dollars, a few thousand in some cases.
The crime seems to pay: in 2017, researchers estimate that the total ransoms extorted by Locky amounted to 7.8 million dollars in cryptocurrency. What distinguishes Locky is the large number of victims, at the time unprepared for this type of threat.
Locky’s activity is mainly focused on the year 2016, and the distribution of this malware quickly wanes, until it disappears completely about a year later. Several complaints are filed by the victims and investigations are opened in France, but hopes are slim.
Alexander Vinnik facing justice
But the case will rebound in France at the end of 2017, following the arrest in Greece of a Russian citizen, Alexander Vinnik. He is accused by the American courts of having held a cryptocurrency exchange used to launder funds. At the start of 2018, Vinnik was first extradited to France. The French authorities indeed want to try him for his money laundering activities, but also accuse him of being the cybercriminal behind the Locky ransomware. The French investigators followed the trail of the ransoms paid by the victims of Locky and went back to the platform of Alexander Vinnik, who collected most of the sums extorted.
Vinnik was finally sentenced in December 2020 to five years in prison, for money laundering in an organized gang. But all the charges relating to the exploitation of Locky are not retained by the judges. A judgment later confirmed on appeal. For French justice, Vinnik did contribute to receiving and laundering the sums extorted by the ransomware, but there is no evidence that he is the designer or the operator.