“I’m with Stupid” Locky network gets hacked and dissed

Share this…

A few months ago, we reported on a white hack against Dridex where the malicious payload was removed and an Avira antivirus downloader added.

It seems that a very successful Locky ransomware distribution network has been the victim of a similar attack by a white hacker.

Locky is a ransomware that encrypts the files and personal data on computers after infecting them and then extorts money from the victims afterwards. We have reported about it in several blog posts, like the latest one.

The spreading of this ransomware via email is fairly direct: A JavaScript is masked as an invoice and attached to the email. The infection process starts once the recipient is tricked and clicks on the attached file to execute it. The social engineering used to trick computer users and make the infection work can be seen in spearphishing emails like this one:

locky_stupid_01

The JavaScript inside the attachment is usually obfuscated which means the real content isn’t visible or understandable for the reader. Within the JavaScript itself is a domain generation algorithm  for connecting and downloading the original Locky ransomware from the criminals’ server. Additionally, the downloader directs where the malicious files have to be copied to within the infected system as well as executes the downloaded file. In our case, the following URL was generated:

hxxp://cafeaparis.eu/f7****d

But in place of the expected ransomware, we downloaded a 12kb binary with the plain message “Stupid Locky”

locky_stupid_02

Subsequently, the execution was directly terminated as the file did not have a valid structure.

locky_stupid_03

It seems that someone was able to access one of the command and control servers and replaced the original Locky ransomware with a dummy file. And I do mean dummy in the fullest expression of the word. Now, I don’t believe that cybercriminals themselves would have initiated this operation because of the potential damage to their reputation and income stream. I also wouldn’t say that “Locky is dead” after this operation. As we know, they are still active and understand their “business” very well. But after the examples of Dridex and now Locky, it shows that even cybercriminals, masters of camouflage, are also vulnerable.

Source:https://blog.avira.com/