This month, it seems that a very successful Locky ransomware distribution network has been the victim of a similar attack by a white hacker.
Locky is a ransomware that encrypts the files and personal data on computers after infecting them and then extorts money from the victims afterwards. We have reported about it in several blog posts, like the latest one.
The spreading of this ransomware via email is fairly direct: A JavaScript is masked as an invoice and attached to the email. The infection process starts once the recipient is tricked and clicks on the attached file to execute it. The social engineering used to trick computer users and make the infection work can be seen in spearphishing emails like this one:
The JavaScript inside the attachment is usually obfuscated which means the real content isn’t visible or understandable for the reader. Within the JavaScript itself is a domain generation algorithm for connecting and downloading the original Locky ransomware from the criminals’ server. Additionally, the downloader directs where the malicious files have to be copied to within the infected system as well as executes the downloaded file. In our case, the following URL was generated:
hxxp://cafeaparis.eu/f7****d
But in place of the expected ransomware, we downloaded a 12 byte text file with the plain message “Stupid Locky”.
Subsequently, the execution was directly terminated as the file did not have a valid structure.
It seems that someone was able to access one of the command and control servers and replaced the original Locky ransomware with a dummy file. And I do mean dummy in the fullest expression of the word. Now, I don’t believe that cybercriminals themselves would have initiated this operation because of the potential damage to their reputation and income stream. I also wouldn’t say that “Locky is dead” after this operation. As we know, they are still active and understand their “business” very well. But after the examples of Dridex and now Locky, it shows that even cybercriminals, masters of camouflage, are also vulnerable.
When ever I open a new window, it redirect to this address below.
https://www.avira.com/en/pua-attacks?x-a-source=AME&x-a-utoken=f2da7b3317b94aa8bee795a3a9b344dd8d201e16&x-a-medium=5497&x-a-version=5908&x-a-item=framer&cservices=49
It is a virus, I also cannot uninstall avira.
I have seen the same “STUPID LOCKY” file on another webserver, early march…
http://www.si#####on.com/system/logs/3523523.exe
Thus, this happened on at least 2 seperate webservers. Note, this was just a hacked wordpress-site serving as a place to drop the malware, it was most definitly no C&C-server…
You forget to censor the file name in the screenshot 😉
Thanks a lot for your feedback. The file name really does not tell much, so there is no reason to censor it. 🙂
You state »But in place of the expected ransomware, we downloaded a 12kb binary with the plain message “Stupid Locky”«
The following screenshot of the HTTP headers indicate that
a.) neither is it a binary (“Content-Type: text/plain”)
b.) nor is it 12 _k_b in size (“Content-Length: 12”)
While one could argue that of course even the plain text is binary data, the inherent implication of “binary” is a little different. Normally “binary” refers to a binary executable, i.e. a “program” or some kind of media file, such as an image or a movie or some sounds / music.
As other writers have included text from your post and spread the wrong information, would you mind to edit and correct it, please?
You could maybe use something like that:
»But in place of the expected ransomware, we downloaded a 12 byte text file with the plain message “STUPID LOCKY”:«
Thanks a lot in advance.
BTW: You concealed the URL in the article’s text but did not in the HTTP header screenshot. By intention or by accident?
Thanks a lot for your feedback – and you are completely right! 🙂 We’ve changed the text accordingly.
The “C&C server” from which the binary was downloaded appears to be just a compromised website. The legitimate server owner probably noticed the infection, and started by removing the file, but as it caused lots of entries in the error log from the compromised machines, it created a dummy file on its place.