According to the security expert Sven Carlsen from Avira, hackers have dismantled a Locky campaign by hacking the command and control server. Carlsen explained that threat actors behind the Locky campaign spread the threat via spam email with a malicious attachment.

The attachment was a downloader that fetches the Locky ransomware from a server generated with a domain generation algorithm (DGA) and executes it.

While the researchers from Avira were analyzing the threat discovered that the downloader fetches a 12b string containing the message “STUPID LOCKY,” instead the Locky Ransomware binary. Of course, this causes the failure of the attack resulting in an error message being displayed.

What happened?

Most likely hackers breached a server used by the threat actors to host the malware and replaced the code of the Locky ransomware with a harmless file.

“It seems that someone was able to access one of the command and control servers and replaced the original Locky ransomware with a dummy file. And I do mean dummy in the fullest expression of the word.” Carlsen wrote.

In the past, other cyber vigilantes have disrupted the hacking campaigns of crooks, Earlier 2016, white hats have attempted to shut down the distribution channels of the Dridex botnet and replaced the malware with a clean copy of an Avira antivirus application.

“I don’t believe that cybercriminals themselves would have initiated this operation because of the potential damage to their reputation and income stream. I also wouldn’t say that ‘Locky is dead’ after this operation,” Carlsen added. “As we know, they are still active and understand their ‘business’ very well. But after the examples of Dridex and now Locky, it shows that even cybercriminals, masters of camouflage, are also vulnerable.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ransomware, cybercrime)