Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Grey Hats Hack Locky Ransomware Distribution Network Again

Hackers once again took a swing at the Locky distribution network and replaced the malicious payload with a benign file, researchers at F-Secure report.

Hackers once again took a swing at the Locky distribution network and replaced the malicious payload with a benign file, researchers at F-Secure report.

Locky ransomware managed to rise to fame over the past few months, which also attracted increasing attention from grey hats willing to disrupt its operations. Just over a a week ago, grey hat hackers managed to breach the ransomware’s network and replace the malicious Locky executable with a dummy file containing the string “Stupid Locky.”

At the time, Avira researchers revealed that the harmless file was observed in a spam email designed to trick recipients into opening an attachment by informing them of an unpaid fine. The attached file in the spam emails was actually a malware downloader configured to grab Locky from the attacker’s server and execute it, but the final payload wasn’t the ransomware itself.

Once again, the Locky distribution network was supposedly hacked by a grey hat who changed the final payload, F-Secure researchers reveal. However, instead of simply using a dummy file, the hacker decided to attempt rising user awareness on malicious programs.

One of the distribution methods used by Locky operators is JScript (.js) attachments, and it was employed in this campaign as well. However, instead of Locky, the .js file was fetching a payload warning users that they opened a malicious file, that they should not enable macros in Office documents, and that they should not open email attachments coming from unknown sources.

This incident shows not only that a grey hat hacker might be after Locky, but that ransomware’s operators aren’t doing their best to secure their assets. Earlier this year, the Dridex botnet was hacked to distribute clean copies of Avira antivirus, and the Locky payload was replaced twice in two weeks, and researchers managed to exploit a flaw in the Dridex C&C (command and control) panel to learn more on its operations.

To better put things into context, we should also remind you that in early March, the Dridex botnet started distributing Locky via JavaScript attachments. Researchers also revealed at the time a tight connection between the two pieces of malware and concluded that both are operated by the same threat actor.

Advertisement. Scroll to continue reading.

Although it emerged on the threat landscape in February, Locky stormed the ransomware market to become one of the largest threats in a matter of weeks, and this appears to have attracted significant attention. However, unlike security researchers who usually attempt to block infections and to help users restore their files for free, grey hats are not shy when it comes to using hacking techniques to beat malware operators at their own game.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...