A few months ago, we reported on a white hack against Dridex where the malicious payload was removed and an Avira antivirus downloader added.
It seems that a very successful Locky ransomware distribution network has been the victim of a similar attack by a white hacker.
Locky is a ransomware that encrypts the files and personal data on computers after infecting them and then extorts money from the victims afterwards. We have reported about it in several blog posts, like the latest one.
But in place of the expected ransomware, we downloaded a 12kb binary with the plain message “Stupid Locky”
Subsequently, the execution was directly terminated as the file did not have a valid structure.
It seems that someone was able to access one of the command and control servers and replaced the original Locky ransomware with a dummy file. And I do mean dummy in the fullest expression of the word. Now, I don’t believe that cybercriminals themselves would have initiated this operation because of the potential damage to their reputation and income stream. I also wouldn’t say that “Locky is dead” after this operation. As we know, they are still active and understand their “business” very well. But after the examples of Dridex and now Locky, it shows that even cybercriminals, masters of camouflage, are also vulnerable.