This article is more than 1 year old

Suck on this: White hats replace Locky malware payload with dummy

I expected a ransom note and all I got was this stupid Locky

Pranksters have infiltrated the control system behind the infamous Locky ransomware and replaced the malware’s main payload with a dummy file.

Locky normally spreads using malicious and disguised JavaScript inside email attachments supposedly containing an invoice or similar. Malicious messages are sent to prospective marks in spam runs.

Those on Windows machines who open the malicious attachment are likely to become infected, a process that results in user files getting encrypted. If this happens it’s normally impractical to recover scrambled files without paying crooks a fee in exchange for the private encryption key needed to recover compromised data.

The hack by as yet unidentified white hats meant that in place of the expected ransomware, “victims” were served with a 12kb binary with the plain message “Stupid Locky” that isn’t a valid executable, anti-virus firm Avira reports.

“It seems that someone was able to access one of the command and control servers and replaced the original Locky ransomware with a dummy file,” Sven Carlsen, a security team manager at Avira, explains in a blog post.

What happened is very unlikely to be anything more than a temporary snag for the cybercrooks behind Locky, even though it does suggest they’ve been a bit sloppy.

The whole incident is rare but far from unprecedented. For example, a white hack carried an similar attack against the Dridex banking trojan botnet back in February that saw the malicious payload removed and an Avira antivirus downloader added instead.

Miscreants behind the Dridex botnet recently switched from pushing trojans towards slinging variants of the Locky ransomware, so there may be elements of commonality between the two incidents.

Locky was recently rated as the second most prevalent form of ransomware, according to security appliance firm Fortinet. CryptoWall remains the most commonly encountered ransomware threat. ®

More about


Send us news

Other stories you might like