Hacking

STUPID LOCKY! Hackers disrupted a Locky ransomware Campaing

Hackers have disrupted a Locky campaign after they compromised one of the cybercriminal servers used by the threat actors.

According to the security expert Sven Carlsen from Avira, hackers have dismantled a Locky campaign by hacking the command and control server. Carlsen explained that threat actors behind the Locky campaign spread the threat via spam email with a malicious attachment.

The attachment was a downloader that fetches the Locky ransomware from a server generated with a domain generation algorithm (DGA) and executes it.

While the researchers from Avira were analyzing the threat discovered that the downloader fetches a 12b string containing the message “STUPID LOCKY,” instead the Locky Ransomware binary. Of course, this causes the failure of the attack resulting in an error message being displayed.

What happened?

Most likely hackers breached a server used by the threat actors to host the malware and replaced the code of the Locky ransomware with a harmless file.

“It seems that someone was able to access one of the command and control servers and replaced the original Locky ransomware with a dummy file. And I do mean dummy in the fullest expression of the word.” Carlsen wrote.

In the past, other cyber vigilantes have disrupted the hacking campaigns of crooks, Earlier 2016, white hats have attempted to shut down the distribution channels of the Dridex botnet and replaced the malware with a clean copy of an Avira antivirus application.

“I don’t believe that cybercriminals themselves would have initiated this operation because of the potential damage to their reputation and income stream. I also wouldn’t say that ‘Locky is dead’ after this operation,” Carlsen added. “As we know, they are still active and understand their ‘business’ very well. But after the examples of Dridex and now Locky, it shows that even cybercriminals, masters of camouflage, are also vulnerable.”

Like the CryptoWall ransomware, Locky uses to change the filenames of encrypted files to make harder data recovery.

When started, Locky creates and assigns a unique 16 hexadecimal number to the infected machine, then he will scan all drives and unmapped network shares for files to encrypt.

The malware uses the AES encryption algorithm and encrypts only file with extensions matching a certain criteria while it skips files containing certain strings in their full pathname and filename (i.e. tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, and Windows).

Locky is able to encrypt more than 160 different file types on compromised PCs and victims are asked to pay between $220 and $880 to recover their documents.

The Locky ransomware encrypts files renaming the to [unique_id][identifier].locky, the researchers also discovered that the unique ID and other information are embedded at the end of the encrypted file.

The malware will also delete all of the copies of documents in the Shadow Volume, making impossible to restore files.

Locky leaves a ransom note, the  _Locky_recover_instructions.txtin, in each folder containing encrypted files.

Stay Tuned!

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ransomware, cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

A new Mirai botnet variant targets DigiEver DS-2105 Pro DVRs

Akamai researchers discovered a new Mirai botnet variant targeting a vulnerability in DigiEver DS-2105 Pro…

7 hours ago

A ransomware attack disrupted services at Pittsburgh Regional Transit

A ransomware attack on Pittsburgh Regional Transit (PRT) was the root cause of the agency's…

8 hours ago

A cyber attack hit Japan Airlines delaying ticket sales for flights

A cyberattack hit Japan Airlines (JAL), causing the suspension of ticket sales for flights departing…

12 hours ago

Apache fixed a critical SQL Injection in Apache Traffic Control

Apache Software Foundation (ASF) addressed a critical SQL Injection vulnerability, tracked as CVE-2024-45387, in Apache Traffic…

22 hours ago

BellaCPP, Charming Kitten’s BellaCiao variant written in C++

Iran-linked APT group Charming Kitten has been observed using a new variant of the BellaCiao…

1 day ago

DMM Bitcoin $308M Bitcoin heist linked to North Korea

Japanese and U.S. authorities attributed the theft of $308 million cryptocurrency from DMM Bitcoin to…

1 day ago

This website uses cookies.