‘Locky’ sounds like a cute nick-name, though the reality of this ransomware is quite the opposite. It infects a machine (and any network shares), then encrypts files. A ransom is then demanded, and in the case of multiple machines in a company, this can be a great sum (50% of Locky ransomware victims have been small-to-medium businesses to date). It is one of the most complex and effective ransomware variants so far.
The malware is usually spread by a botnet – a network of covertly occupied computers that relay infected spam, distributing the infection. The botnet is controlled from a command and control server (C&C). Earlier this year, the server that Locky downloads from was hacked, and the ransomware executive (.exe) was replaced by an empty file reading ‘STUPID LOCKY’.
The Locky ransomware network has been hacked (or ‘cracked’) again. In normal Locky working, if a user is inattentive or naive enough to open the ‘mail attachment – a .zip archive containing malicious JavaScript – the ransomware would launch, and goodbye files. What this hacker/cracker has done is to replace the .exe payload of Locky with a warning to the intended victim. On opening the file, a pop-up is displayed which reads, ‘You are reading this message because you have opened a malicious file. For your safety, don’t open unknown emails attachment’ [sic].
A similar occurrence happened in February last year when the Dridex botnet was hacked. The malware was reconfigured to deliver an antivirus software sample instead of the banking trojan. White (or Grey) Hat hackers (or crackers) are increasingly attacking these malware networks. Perhaps a pro-active response like this is what is needed to combat the rising threat. It is fine for companies to defend themselves more efficiently – this much they owe to their investors and customers. But with every new defensive method comes a malware advancement or change of strategy to match – it’s time to be proactive against malware threats like Locky.
