Any files that are encrypted with actual Locky Ransomware will be renamed with random alpha-numerical characters and have the .locky, .zepto, .odin, .bleep, .thor, .aesir, .zzzzz, or .osiris extension appended to the end of the encrypted data filename in the following format [unique_id][identifier].locky. Older Locky variants will store various information in the registry under the following keys:
- HKCU\Software\Locky\id - The unique ID assigned to the victim.
- HKCU\Software\Locky\pubkey - The RSA public key.
- HKCU\Software\Locky\paytext - The text that is stored in the ransom notes.
- HKCU\Software\Locky\completed - Whether the ransomware finished encrypting the computer
Newer Locky variants do not create HKCU\Software\Locky registry entries anymore.
If these keys are present, then either the system is infected with an older variant and there will be other obvious indications (signs of infection)
or some security/anti-ransomware software was installed and added the entries as a vaccine to prevent infection...the old Locky variant is not able to encrypt any files if these registry entries are present. According to several folks commenting here, Bitdefender Crypto-Ransomware Vaccine will create the HKCU\Software\Locky\ entry. Other security products may create the same entries as protection against infection.