Victims of ransomware attacks often feel foolish for being duped, but a vigilante hacker turned the tables on one major Locky ransomware distributor, after hacking into its command and control server and swapping out the malicious payload with a script that contains the message “Stupid Locky.”
Word of the hack spread among cybersecurity circles this week and was reported yesterday on German IT security company Avira's blog post. According to the post's author, Sven Carlsen, Avira researchers recently studied a malicious file attachment that, upon opening, connected the user's machine to a C&C server linked to a “very successful” Locky ransomware distribution network. But instead of ransomware, the machine downloaded a 12 kb binary containing the aforementioned derisive anti-Locky message. The code's execution was subsequently terminated because the file didn't have a valid structure.
Apparently, a hacker was able to swap out Locky with a dummy file, leaving the snarky message behind for a laugh at the distributor's expense.
“I don't believe that cybercriminals themselves would have initiated this operation because of the potential damage to their reputation and income stream. I also wouldn't say that “Locky is dead” after this operation," wrote Carlsen. "But after the examples of Dridex and now Locky, it shows that even cybercriminals, masters of camouflage, are also vulnerable."
While Avira referred to the incident as a white hat hack, Greg Leah, principal threat researcher at email security firm Cloudmark, disagreed with that conclusion. “That's definitely not a white hat doing this. White hats don't go about compromising servers and changing codes,” said Leah, who called the prankster a “gray hat at best.”
Whatever server the Locky distributor originally compromised to spread its malware, Leah suspects this hacker likely “used the same vulnerability in the legitimate server as the criminals did” in order to gain access and pull off the malware switcheroo. Unfortunately, such an attack is not indicative of a larger vulnerability in the Locky infrastructure that security researchers could use to curtail its propagation, he noted.
Cloudmark presented its own recent findings on Locky today in its Q1 Security Threat Report. Among its findings:
Locky's distribution rate exploded exponentially in Q1 2016. The U.S. saw the highest raw volume of attacks, receiving almost 36 percent of global messages containing Locky and its derivatives. But Italy and Japan were surprisingly hit the next hardest, receiving 16.2 and 15.2 percent of Locky-laced messages. respectively. "We're seeing massive email spam campaigns daily in very high volumes," said Leah of the aggressive distribution.
Purveyors of Locky began changing distribution tactics in Q1, eschewing the use of traditional macros in favor of heavily obfuscated script files hidden inside .zip and .rar archives. Other malware families began copying this technique as well, due to its effectiveness. Obfuscation techniques consist of including a benign file among the malicious script files to fool Bayesian filtering, as well as inserting random numbers and letters into content and archive file names to avoid malware signature detection.
Finally, Cloudmark researchers observed several malicious Locky campaigns delivering malware payloads using Windows Script Files (.wsf), an uncommon format for these kinds of attacks. These .wsf files allow for mixtures of Jscript, VBScript, and other scripting languages within a single XML formatted file, the report explained.