Hackers once again took a swing at the Locky distribution network and replaced the malicious payload with a benign file, researchers at F-Secure report.
Locky ransomware managed to rise to fame over the past few months, which also attracted increasing attention from grey hats willing to disrupt its operations. Just over a a week ago, grey hat hackers managed to breach the ransomware’s network and replace the malicious Locky executable with a dummy file containing the string “Stupid Locky.”
At the time, Avira researchers revealed that the harmless file was observed in a spam email designed to trick recipients into opening an attachment by informing them of an unpaid fine. The attached file in the spam emails was actually a malware downloader configured to grab Locky from the attacker’s server and execute it, but the final payload wasn’t the ransomware itself.
Once again, the Locky distribution network was supposedly hacked by a grey hat who changed the final payload, F-Secure researchers reveal. However, instead of simply using a dummy file, the hacker decided to attempt rising user awareness on malicious programs.
One of the distribution methods used by Locky operators is JScript (.js) attachments, and it was employed in this campaign as well. However, instead of Locky, the .js file was fetching a payload warning users that they opened a malicious file, that they should not enable macros in Office documents, and that they should not open email attachments coming from unknown sources.
This incident shows not only that a grey hat hacker might be after Locky, but that ransomware’s operators aren’t doing their best to secure their assets. Earlier this year, the Dridex botnet was hacked to distribute clean copies of Avira antivirus, and the Locky payload was replaced twice in two weeks, and researchers managed to exploit a flaw in the Dridex C&C (command and control) panel to learn more on its operations.
To better put things into context, we should also remind you that in early March, the Dridex botnet started distributing Locky via JavaScript attachments. Researchers also revealed at the time a tight connection between the two pieces of malware and concluded that both are operated by the same threat actor.
Although it emerged on the threat landscape in February, Locky stormed the ransomware market to become one of the largest threats in a matter of weeks, and this appears to have attracted significant attention. However, unlike security researchers who usually attempt to block infections and to help users restore their files for free, grey hats are not shy when it comes to using hacking techniques to beat malware operators at their own game.