Users typically encounter Locky ransomware by either being exposed to an exploit kit or via a spam email message with a file attachment.
Delivery via email
The most common way Locky ransomware is distributed is as a file attached to a email message. The emails may appropriate the names and/or branding of various legitimate companies to appear authentic. They will typically appear to be related to invoices, court orders or logistic/baggage related topics.
The zipped files may be identified by the related Trojan-Downloader:JS/Locky detection, while document files may be identified by the Trojan-Downloader:W97M/Locky detection.
Delivery via exploit kit
Locky ransomware can also be delivered as the payload of an exploit kit. If the user is exposed to a exploit kit (usually by visiting a compromised website, or by being redirected to a malicious one) and it successfully exploits the user's machine, the kit will download the ransomware and it will immediately run.
Locky ransomware encrypt files stored on the machine. Depending on the specific variant, the encryption can be done using either the AES 128-bit or RSA 2048-bit encryption algorithms - which are extremely difficult to break.
Once the files are encrypted, a text file containing the ransom demand is saved on the system. In some variants, the desktop background is also changed to display the demand. The file will provide instructions on how to pay the ransom demanded.