STUPID LOCKY! Hackers disrupted a Locky ransomware Campaing

Pierluigi Paganini May 07, 2016

Hackers have disrupted a Locky campaign after they compromised one of the cybercriminal servers used by the threat actors.

According to the security expert Sven Carlsen from Avira, hackers have dismantled a Locky campaign by hacking the command and control server. Carlsen explained that threat actors behind the Locky campaign spread the threat via spam email with a malicious attachment.

The attachment was a downloader that fetches the Locky ransomware from a server generated with a domain generation algorithm (DGA) and executes it.

While the researchers from Avira were analyzing the threat discovered that the downloader fetches a 12b string containing the message “STUPID LOCKY,” instead the Locky Ransomware binary. Of course, this causes the failure of the attack resulting in an error message being displayed.

Locky campaign botnet

What happened?

Most likely hackers breached a server used by the threat actors to host the malware and replaced the code of the Locky ransomware with a harmless file.

“It seems that someone was able to access one of the command and control servers and replaced the original Locky ransomware with a dummy file. And I do mean dummy in the fullest expression of the word.” Carlsen wrote.

In the past, other cyber vigilantes have disrupted the hacking campaigns of crooks, Earlier 2016, white hats have attempted to shut down the distribution channels of the Dridex botnet and replaced the malware with a clean copy of an Avira antivirus application.

“I don’t believe that cybercriminals themselves would have initiated this operation because of the potential damage to their reputation and income stream. I also wouldn’t say that ‘Locky is dead’ after this operation,” Carlsen added. “As we know, they are still active and understand their ‘business’ very well. But after the examples of Dridex and now Locky, it shows that even cybercriminals, masters of camouflage, are also vulnerable.”

Like the CryptoWall ransomware, Locky uses to change the filenames of encrypted files to make harder data recovery.

When started, Locky creates and assigns a unique 16 hexadecimal number to the infected machine, then he will scan all drives and unmapped network shares for files to encrypt.

The malware uses the AES encryption algorithm and encrypts only file with extensions matching a certain criteria while it skips files containing certain strings in their full pathname and filename (i.e. tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, and Windows).

Locky is able to encrypt more than 160 different file types on compromised PCs and victims are asked to pay between $220 and $880 to recover their documents.

The Locky ransomware encrypts files renaming the to [unique_id][identifier].locky, the researchers also discovered that the unique ID and other information are embedded at the end of the encrypted file.

The malware will also delete all of the copies of documents in the Shadow Volume, making impossible to restore files.

Locky leaves a ransom note, the  _Locky_recover_instructions.txtin, in each folder containing encrypted files.

Stay Tuned!

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ransomware, cybercrime)

you might also like

leave a comment