Hacking

STUPID LOCKY! Hackers disrupted a Locky ransomware Campaing

Hackers have disrupted a Locky campaign after they compromised one of the cybercriminal servers used by the threat actors.

According to the security expert Sven Carlsen from Avira, hackers have dismantled a Locky campaign by hacking the command and control server. Carlsen explained that threat actors behind the Locky campaign spread the threat via spam email with a malicious attachment.

The attachment was a downloader that fetches the Locky ransomware from a server generated with a domain generation algorithm (DGA) and executes it.

While the researchers from Avira were analyzing the threat discovered that the downloader fetches a 12b string containing the message “STUPID LOCKY,” instead the Locky Ransomware binary. Of course, this causes the failure of the attack resulting in an error message being displayed.

Locky campaign botnetLocky campaign botnet

What happened?

Most likely hackers breached a server used by the threat actors to host the malware and replaced the code of the Locky ransomware with a harmless file.

“It seems that someone was able to access one of the command and control servers and replaced the original Locky ransomware with a dummy file. And I do mean dummy in the fullest expression of the word.” Carlsen wrote.

In the past, other cyber vigilantes have disrupted the hacking campaigns of crooks, Earlier 2016, white hats have attempted to shut down the distribution channels of the Dridex botnet and replaced the malware with a clean copy of an Avira antivirus application.

“I don’t believe that cybercriminals themselves would have initiated this operation because of the potential damage to their reputation and income stream. I also wouldn’t say that ‘Locky is dead’ after this operation,” Carlsen added. “As we know, they are still active and understand their ‘business’ very well. But after the examples of Dridex and now Locky, it shows that even cybercriminals, masters of camouflage, are also vulnerable.”

Like the CryptoWall ransomware, Locky uses to change the filenames of encrypted files to make harder data recovery.

When started, Locky creates and assigns a unique 16 hexadecimal number to the infected machine, then he will scan all drives and unmapped network shares for files to encrypt.

The malware uses the AES encryption algorithm and encrypts only file with extensions matching a certain criteria while it skips files containing certain strings in their full pathname and filename (i.e. tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, and Windows).

Locky is able to encrypt more than 160 different file types on compromised PCs and victims are asked to pay between $220 and $880 to recover their documents.

The Locky ransomware encrypts files renaming the to [unique_id][identifier].locky, the researchers also discovered that the unique ID and other information are embedded at the end of the encrypted file.

The malware will also delete all of the copies of documents in the Shadow Volume, making impossible to restore files.

Locky leaves a ransom note, the  _Locky_recover_instructions.txtin, in each folder containing encrypted files.

Stay Tuned!

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ransomware, cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

US Government officials targeted with texts and AI-generated deepfake voice messages impersonating senior U.S. officials

FBI warns ex-officials are targeted with deepfake texts and AI voice messages impersonating senior U.S.…

7 minutes ago

Shields up US retailers. Scattered Spider threat actors can target them

Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting…

3 hours ago

U.S. CISA adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog<gwmw style="display:none;"></gwmw>

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium, DrayTek routers, and SAP NetWeaver…

9 hours ago

Pwn2Own Berlin 2025 Day Two: researcher earned 150K hacking VMware ESXi

On day two of Pwn2Own Berlin 2025, participants earned $435,000 for demonstrating zero-day in SharePoint,…

21 hours ago

New botnet HTTPBot targets gaming and tech industries with surgical attacks

New botnet HTTPBot is targeting China's gaming, tech, and education sectors, cybersecurity researchers warn. NSFOCUS …

22 hours ago

Meta plans to train AI on EU user data from May 27 without consent

Meta plans to train AI on EU user data from May 27 without consent; privacy…

1 day ago