Someone Replaced Notorious 'Locky' Ransomware With a Dud File

A researcher found that a Locky campaign downloaded the message "Stupid Locky", rather than encrypting victims' files.

May 5 2016, 2:15pm

A blank. Photo: Travis Goodspeed/Flickr

Locky, a particularly successful variant of ransomware, has infected systems far and wide recently. Now in one Locky campaign, the part of the malware that encrypts victims' files has mysteriously been replaced with a harmless piece of text, rendering it totally ineffective, The Register reports.

In a blog post published on Wednesday, Sven Carlsen from cybersecurity company Avira wrote that while researching a piece of Locky, he was presented with something much more banal than a malicious payload.

"In place of the expected ransomware, we downloaded a 12kb binary with the plain message 'Stupid Locky,'" he wrote. Instead of having all of his files encrypted, Carlsen was just presented with an error message.

Since its emergence in February, Locky has infected targets in the US, Europe, Pakistan and elsewhere. It relies on targets turning on macros in malware-laden Word documents, and once Locky has done its job and locked down files, victims need to log onto a Tor hidden service and cough up a ransom of around one bitcoin.

How Locky is delivered. Screengrab courtesy Craig Williams

The reason for this substitution of a bit of text, Carlsen speculates, is that another, perhaps benevolent hacker has managed to take over one of the command-and-control servers used by Locky. From here, the white hat may have replaced the file.

"It shows that even cybercriminals, masters of camouflage, are also vulnerable," he writes.

Other researchers were more skeptical however, pointing out that there are several potential reasons for this swap.

"It's possible a white hat might have targeted this [command-and-control] server, but it's also possible another threat actor or random hacker targeted it," Craig Williams, senior technical leader and security outreach manager at Talos, part of cybersecurity company Cisco, told Motherboard in a Twitter message.

"Unfortunately for the bad guys there is no honor among thieves," he added.

And perhaps the owner of the server swapped the files themselves. "It could be just to save bandwith," Williams said.

Ryan Olson, intelligence director at Unit 42, which is part of cybersecurity company Palo Alto Networks, had another idea.

"The website that was hosting the Locky malware in this instance is a legitimate website, which was compromised by the attacker distributing Locky," he wrote in an email. "Rather than a 'white hacker' attacking Locky, it appears that the website owner removed the malware and set their web server up to return the text 'STUPID LOCKY' instead of the Locky executable. Typically during clean-ups like this, the website owner removes the file, leading the downloader to receive an HTTP 404 error message, but in this case they got a little more creative."

As The Register noted, white hat hackers have supposedly ripped out the malicious part of malware before. In February, a server distributing the Dridex bank trojan ended up serving a fully up to date piece of anti-virus software.