Security Alert: Locky Ransomware Changes Tactics, Spoofs Dropbox
Ransomware comes knocking on every backdoor. Will you open?
Locky ransomware has been on a wild distribution spree in the past weeks, trying new ways of achieving even higher infections rates. These experiments focus on changing tactics mid-game and experimenting with new extensions or new baits to get unsuspecting users to click.
In their latest spam run, the cyber attackers behind the most notorious ransomware strain currently on the market have decided to resort to spoofing Dropbox.
Here is what the deceptive email looks like as opposed to the legitimate one:
As you can see, the two are fairly similar, so it would be quite difficult for the untrained user to spot the suspicious elements. This is why we believe this campaign can have a considerable impact on potential victims.
Add this to the fact that it’s sent on a Friday, when people are usually tired and less attentive and cyber criminals have a recipe for success.
Read more details in our Cyber Security Glossary.
If a potential victim misses or ignores the warning signs that the email shouldn’t be trusted and clicks, the link on “verify your email” will redirect the user’s traffic to a batch of compromised web pages.
Here is a selection of these pages, sanitized for your protection:
http: // Dar-alataa [.] com / dropbox.html
http: // melting-paw [.] com / dropbox.html
http: // flooringforyou [.] co [.] uk / dropbox.html
http: // Fachwerkhaus [.] ws / dropbox.html
http: // binarycousins [.] com / dropbox.html
http: // bayimpex [.] BE / dropbox.html
http: // arthur dennis williams [.] com / dropbox.html
http: // jakuboweb [.] com / dropbox.html
http: // busad [.] com / dropbox.html
http: // ambrogiauto [.] com / dropbox.html
http: // dippydado [.] net / json.php
This domain, in turn, directs traffic to:
http: // geocean [.] co [.] ID / 657erikftgvb
http: // gtdban [.] net / p66 / 657erikftgvb
http: // givensplace [.] com / 657erikftgvb
The payload is XORd with the key “84fb8955ed14d24e14534c24c76810db” in order to enable the strain to bypass different gateway scanners.
The inattentive user will end up with his/her data encrypted, not only locally, but also on other drives connected in the same network. The extension used is .lukitus, which first emerged last month (August 2017).
Current Command and Control servers include:
http: // fqtsqwhqdcjsn [.] pw / imageload.cgi
http: // btvcvfekgnnct [.] biz / imageload.cgi
http: // meklyxcoteyewsx [.] ru / imageload.cgi
http: // asonqpakatx [.] work / imageload.cgi
Another issue with this campaign is the fact that it achieves a very low detection rate: only 3/58 on VirusTotal.
This week has not been kind to Internet users, as Locky campaigns piled up and a historical data dump of over 700 million email addresses (and their passwords) made its way into the hands of cyber criminals.
Once again, we can’t help but suggest you take a few minutes to learn how ransomware works and what you can do to stay safe. It doesn’t that many resources (time and money-wise) to keep ransomware away, but those little steps can make the difference between a clean, safe device and a big headache.
This is especially true since cyber security researchers have yet to crack Locky and find a free decryption key for it, as they did for these other ransomware strains.
*This article features cyber intelligence provided by CSIS Security Group researchers.