What is Maktub Locker ransomware? How it works and how to protect yourself
Maktub Locker ransomware is one of the most dangerous and advanced ransomware variants to emerge in recent years. Known for its strong encryption, deceptive phishing strategies, and rapidly increasing ransom demands, it continues to pose a significant threat to both individuals and organizations.
This article will explain what Maktub Locker ransomware is, how it spreads, provide example incidents of real attacks, and how you can protect yourself with proven cybersecurity practices.
What is ransomware?
Ransomware is a type of malicious software that is used to encrypt files and lock users out of their files or systems by encrypting the data. Victims are then asked to pay a ransom, usually in cryptocurrency such as Bitcoin, in exchange for a decryption key.
Ransomware can target any user, from individuals to large organizations.
Ransomware attacks can lead to data loss, business interruption, financial damage, and harm to a company’s reputation. Many attacks begin with phishing scams, a common scam that uses social engineering and personal information like names or addresses to trick victims into downloading malware. Data breaches can provide attackers with personal information used in these scams, making them more convincing. Organizations and their customers are often affected by ransomware attacks, and data breaches can lead to more targeted attacks. Some victims attempt to recover their files through backups or decryption tools, but success is not guaranteed. It is important to be aware of phishing tactics. For example, a phishing email may claim the recipient has an overdue invoice or statement and include a malicious attachment that delivers the malware. Some phishing emails claim the recipient owes money, increasing the urgency to open the attachment. British businesses have recently been targeted by a new phishing scam that uses highly personalized details. Consulting multiple sources is recommended to stay informed about evolving ransomware threats.
For a deeper understanding of how ransomware works and why it remains one of the most dangerous cyber threats, read our complete guide on what ransomware is.
Introduction to Maktub Locker ransomware
Maktub Locker ransomware first appeared in 2016 and was fairly successful in infecting victims. It gained attention for its incredibly fast encryption process, strong encryption, and its polished interface for delivering ransom demands. The word “Maktub” means “it is written” in Arabic, suggesting to victims that their fate is already sealed.
The malware is often disguised as a legitimate file, such as a Terms of Service update, and sent via email. These emails usually contain attachments in RTF format, which activate the ransomware once opened. The message crafted by the attackers is designed to lure victims into opening the malicious attachment. Once executed, the desktop version of Maktub Locker quickly encrypts files on the user's hard drive, including those on the desktop, using a powerful encryption process that generates random encryption keys and appends a unique, randomly generated extension to each encrypted file. The ransomware also compresses files as part of the encryption process, resulting in much smaller encrypted files compared to the originals. All files are encrypted offline, without needing an internet connection, and rendered inaccessible to the user. The malware's code does not use static references, making detection more difficult for security tools. During the attack, a warning message appears on the user's screen.
Victims are often told they can decrypt two files for free to prove that decryption is possible. The ransom starts at 1.4 Bitcoin, where the fee stands for the first three days. If payment is not made as time elapses, the ransom increases to 1.9 Bitcoin after the first three days, and can later rise to 3.9 Bitcoin if not paid within 15 days. The payment website uses polite language to reassure victims and increase the likelihood of a quick payoff.
How Maktub Locker spreads
Maktub Locker is usually delivered through a phishing scam. These emails target the user and may appear to be from trusted sources, often claiming that the recipient owes money. The message often includes personal details, such as the recipient’s full name or address, to make the phishing scam more convincing.
When the user clicks on the attached file or link, the malware is activated and begins encrypting files immediately. The files are encrypted offline, without requiring a network connection or a connection to a command-and-control server. Each encrypted file receives a unique, randomly generated extension, making it difficult to identify and recover the original files.
After encryption, the user receives a warning message from the attackers. This message serves as both a ransom note and an alert, and it is delivered through a website that uses polite language to reassure the victim. The ransom starts at a lower amount, and the fee stands at this level for the first three days. The attackers' goal is a quick payoff, so as time elapses, the ransom increases. Victims may attempt to recover their files, but the random extensions and offline encryption make this challenging. The Maktub Locker campaign was fairly successful in infecting users and achieving its objectives.
Notable attacks involving Maktub Locker
Maktub Locker has been involved in several high-profile cyberattacks, as reported by multiple sources.
As an example, the San Francisco Municipal Transportation Agency, an organization, was hit in 2016, which disrupted public transit services and caused financial losses for both the organization and its customers.
In 2017, the UK National Health Service (NHS), another organization, was targeted, causing major delays in patient care and hospital operations, impacting customers and staff.
Several British businesses were also targeted in phishing campaigns and scams, including a new phishing scam where victims were tricked into clicking on links that installed Maktub Locker. These emails often used realistic personal details, sometimes obtained from data breaches, to make the scams more believable. In some cases, the phishing emails included addresses formatted like those found in eBay accounts, raising concerns about the use of eBay's data in these attacks. Customer data was specifically targeted, and these incidents highlight the risk that data breaches can lead to more targeted attacks on organizations and their customers.
These attacks underscore the importance of customer data security and the need for organizations and customers to be aware of evolving threats. Companies like eBay work aggressively to protect customer data, continually update their security measures, and strive to provide the safest environment for their users. Protecting customer data is their highest priority.
Evolution into ransomware-as-a-Service
Over time, Maktub Locker evolved from a standalone malware into a Ransomware-as-a-Service model, affecting organizations by enabling hackers to purchase or lease the ransomware and launch their own attacks without developing it themselves. These attacks are often sophisticated scams, targeting users and customers by exploiting their personal information and behavior.
Although the original creators of Maktub Locker claimed to retire in 2017, the ransomware’s source code continued to circulate on underground forums. As a result, new threat actors have reused and modified the malware to carry out fresh attacks, as reported by multiple sources.
To learn more about how this criminal business model works and why it’s so effective, read our full guide on ransomware-as-a-Service.
How to protect against Maktub Locker ransomware
Preventing ransomware requires a proactive and layered cybersecurity approach. Users must take proactive steps to protect themselves and be aware of ransomware threats. Organizations should implement strategies that secure every network connection, continually update their security measures, and focus on creating the safest environment for data. Protecting customer data is a key objective, and customer data security should always be prioritized. Below are the most effective strategies for protecting against Maktub Locker and similar threats.
Back up your data
Create regular backups of your files and store them offline or in a secure cloud environment. Users should test backups regularly to ensure they work correctly. In the event of an attack, backups allow users to recover encrypted files without paying the ransom.
Train employees in cybersecurity awareness
Human error is one of the biggest risks in cybersecurity. Conduct regular training to help users become aware of phishing and ransomware threats, recognize phishing emails, avoid unsafe downloads, and report suspicious activity.
Keep software updated
Apply security patches and updates to your operating systems, applications, and antivirus software. It is important to continually update your software to defend against new threats, as many ransomware infections exploit outdated software or known vulnerabilities.
Strengthen network security
Implement strong firewalls, intrusion detection systems, and endpoint protection tools to monitor and block malicious activity before it reaches your internal systems.
Filter emails and block malicious content
Use email filters to detect and block phishing attempts before they reach users. Block file types commonly used in ransomware attacks, such as .scr and .rtf, and ensure that all attachments, especially those in RTF format, are scanned for malicious content in a sandbox environment.
Establish cybersecurity policies
Organizations should develop clear cybersecurity guidelines, including an incident response plan. Ensure all employees are aware of cybersecurity policies and understand what actions to take in the event of a ransomware attack.
Consider cyber insurance
Cyber insurance can help cover the financial cost of a ransomware attack, including recovery expenses, legal fees, and even ransom payments if necessary. It also provides professional support during the crisis.
Final thoughts
Maktub Locker ransomware remains a dangerous and highly effective threat. Its ability to encrypt files quickly, demand rising ransom payments, and use personalized phishing scams makes it especially harmful to both users and organizations. Customers of businesses are also at risk, as cybercriminals often target their personal data.
To protect customer data and ensure customer data security, organizations and users must remain aware of ransomware threats. Employees should be aware of common attack vectors, and organizations should continually update their security practices to defend against evolving threats. Backing up data, updating systems, training staff, and using advanced security tools all help reduce the risk of infection and create the safest environment for sensitive information.
Recovering encrypted files is possible with proper preparation, such as maintaining secure backups and understanding decryption options. Always consult multiple sources for up-to-date information on ransomware tactics and recovery methods.
By staying informed and vigilant, you can protect your systems, your data, your customers, and your organization from ransomware threats like Maktub Locker.
This post has been updated on 07-07-2025 by Sarah Krarup.

Sarah Krarup
Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.
View all posts by Sarah Krarup