A brand new ransomware has been trying hard to act like Locky these days. However, the infection turned to be nothing but a cheap clone, which was most probably created by a Hungarian developer.
The new ransomware strain is called Hucky, just like Locky in Hungarian, nicknamed by its founder, the Avast malware analyst Jakub Kroustek. According to Kroustek, something might have been amiss when he found out that the new strain, which initially he thought to be Locky, appended the .locky extension to the encrypted files.
In fact, Locky ransomware hadn’t used the .locky file extension for months, switching to .zepto, .odin, .shit, and more recently to .thor.
After analyzing the infection deeper, Kroustek found out that the image used by the ransomware for changing the user’s desktop wallpaper had also been tampered with, showing a small lock icon in the top upper right corner. It is something which the original Locky version doesn’t show.
The second evidence proving that this was not the original Locky ransomware but just a cheap knock-off, was the fact that Hucky wanted users to email the ransomware creator for each infection. While Locky uses an automated website hosted on the Dark Web, meaning that there’s no direct connection between the Locky hackers and the infected users. Also, Hucky ransomware targeted only half the files which Locky targets for encryption and infected gaming-related files connected to Minecraft, StarCraft2, and World of Tanks.
Apart from the above-mentioned, Jakub Kroustek discovered that Hucky ransomware was coded in Microsoft VisualBasic, while the original Locky was built with Microsoft Visual C++. Besides, Hucky forcibly restarts the victim’s computer as soon as the ransomware encrypts all his files, which is something that Locky never does.
The first evidence that Hucky was created by a Hungarian developer showed up in the image and text-based ransom notes left around the PC, which were available in Hungarian only. After analyzing the source code of Hucky, Kroustek said that he found a large number of Hungarian words. Considering the fact that most of these words were combined with l33t speak, they didn’t appear to be false flags, planted by the malware author to mislead the security experts. Also, the PDB debug strings contained the malware creator’s potential name, as well as some other Hungarian words.
“[T]he Hungarian texts don’t seem to be machine translated (although they contain some spelling errors),” Kroustek explains.
The files which distributed the ransomware were called turul.exe and semmi.exe, Turul being a type of hawk, the Hungary’s national symbol, and semmi being the Hungarian word for “nothing.”
“We can conclude that Hucky is a new ransomware strain currently targeting Hungarian users only. Based on the aforementioned leads, there is a fair chance that its author is a native Hungarian speaker,” Kroustek claims. “The Hungarian orientation is probably also the reason why Hucky’s prevalence is low at the moment.”
– Image source: Softpedia.com
