This month, it seems that a very successful Locky ransomware distribution network has been the victim of a similar attack by a white hacker.
Locky is a ransomware that encrypts the files and personal data on computers after infecting them and then extorts money from the victims afterwards. We have reported about it in several blog posts, like the latest one.
The spreading of this ransomware via email is fairly direct: A JavaScript is masked as an invoice and attached to the email. The infection process starts once the recipient is tricked and clicks on the attached file to execute it. The social engineering used to trick computer users and make the infection work can be seen in spearphishing emails like this one:
The JavaScript inside the attachment is usually obfuscated which means the real content isn’t visible or understandable for the reader. Within the JavaScript itself is a domain generation algorithm for connecting and downloading the original Locky ransomware from the criminals’ server. Additionally, the downloader directs where the malicious files have to be copied to within the infected system as well as executes the downloaded file. In our case, the following URL was generated:
hxxp://cafeaparis.eu/f7****d
But in place of the expected ransomware, we downloaded a 12 byte text file with the plain message “Stupid Locky”.
Subsequently, the execution was directly terminated as the file did not have a valid structure.
It seems that someone was able to access one of the command and control servers and replaced the original Locky ransomware with a dummy file. And I do mean dummy in the fullest expression of the word. Now, I don’t believe that cybercriminals themselves would have initiated this operation because of the potential damage to their reputation and income stream. I also wouldn’t say that “Locky is dead” after this operation. As we know, they are still active and understand their “business” very well. But after the examples of Dridex and now Locky, it shows that even cybercriminals, masters of camouflage, are also vulnerable.
