Locky ransomware has been on a wild distribution spree in the past weeks, trying new ways of achieving even higher infections rates. These experiments focus on changing tactics mid-game and experimenting with new extensions or new baits to get unsuspecting users to click.

In their latest spam run, the cyber attackers behind the most notorious ransomware strain currently on the market have decided to resort to spoofing Dropbox.

Here is what the deceptive email looks like as opposed to the legitimate one:

locky attack dropbox spoofing example

dropbox legitimate email verification example

As you can see, the two are fairly similar, so it would be quite difficult for the untrained user to spot the suspicious elements. This is why we believe this campaign can have a considerable impact on potential victims.

Add this to the fact that it’s sent on a Friday, when people are usually tired and less attentive and cyber criminals have a recipe for success.

is a compromise attempt during which an unauthorized individual tries to gain access to an information system by impersonating an authorized user.

Read more details in our Cyber Security Glossary.

If a potential victim misses or ignores the warning signs that the email shouldn’t be trusted and clicks, the link on “verify your email” will redirect the user’s traffic to a batch of compromised web pages.

Here is a selection of these pages, sanitized for your protection:

http: // Dar-alataa [.] com / dropbox.html
http: // melting-paw [.] com / dropbox.html
http: // flooringforyou [.] co [.] uk / dropbox.html
http: // Fachwerkhaus [.] ws / dropbox.html
http: // binarycousins ​​[.] com / dropbox.html
http: // bayimpex [.] BE / dropbox.html
http: // arthur dennis williams [.] com / dropbox.html
http: // jakuboweb [.] com / dropbox.html
http: // busad [.] com / dropbox.html
http: // ambrogiauto [.] com / dropbox.html

These pages and the rest of the ones included in the batch include malicious Javascript code that connects to the following domain:

http: // dippydado [.] net / json.php

This domain, in turn, directs traffic to:

http: // geocean [.] co [.] ID / 657erikftgvb
http: // gtdban [.] net / p66 / 657erikftgvb
http: // givensplace [.] com / 657erikftgvb

Would you be able to tell this is a fake email?

The payload is XORd with the key “84fb8955ed14d24e14534c24c76810db” in order to enable the strain to bypass different gateway scanners.

The inattentive user will end up with his/her data encrypted, not only locally, but also on other drives connected in the same network. The extension used is .lukitus, which first emerged last month (August 2017).

Current Command and Control servers include:

http: // fqtsqwhqdcjsn [.] pw / imageload.cgi
http: // btvcvfekgnnct [.] biz / imageload.cgi
http: // meklyxcoteyewsx [.] ru / imageload.cgi
http: // asonqpakatx [.] work / imageload.cgi

Another issue with this campaign is the fact that it achieves a very low detection rate: only 3/58 on VirusTotal.

virustotal detection rate - September 1 2017

This week has not been kind to Internet users, as Locky campaigns piled up and a historical data dump of over 700 million email addresses (and their passwords) made its way into the hands of cyber criminals.

Once again, we can’t help but suggest you take a few minutes to learn how ransomware works and what you can do to stay safe. It doesn’t that many resources (time and money-wise) to keep ransomware away, but those little steps can make the difference between a clean, safe device and a big headache.

This is especially true since cyber security researchers have yet to crack Locky and find a free decryption key for it, as they did for these other ransomware strains.

Keep safe!

*This article features cyber intelligence provided by CSIS Security Group researchers.

What is Ransomware – 15 Easy Steps To Protect Your System [Updated 2020]

These Counter Spoofing Measures Will Keep You Safe

The Anti-Ransomware Protection Plan You Need to Follow Today


As a dropbox and google-drive user, how do I protect myself easyly?
For now I do manual bakcups (drag-and-drop) of my dropbox to an external drive, and do “archive” (.zip download) of my googledrive, and copy the .zip file to external drive.
I have played around with manual sync of dropbox, but it is also easy to forget.
I a collegauge/friend gets hit with ransomware and we have a shared folder – I quess I will risk to be hit as well?

Leave a Reply

Your email address will not be published. Required fields are marked *