White hat hacker replaces malware payload in Locky ransomware with dud file

Some good samaritan has messed with the pernicious locky ransomware to deliver, not malware, but a joke.

A Vigilante messed with Locky javascript to leave anti-malware messages
A Vigilante messed with Locky javascript to leave anti-malware messages

A white hat hacker appears to have hacked into Locky ransomware rendering it ineffective.

According to a blog post by Avira, a sample the company was looking at unearthed something much less sinister than malware.

“In place of the expected ransomware, we downloaded a 12kb binary with the plain message 'Stupid Locky,'” said Sven Carlsen, team leader of Virus Lab Disinfection Service at Avira.

Locky has been infecting computers and locking their files since February. It has hit targets in the US, Europe and some parts of Asia. It normally comes via an infected Word document.

When opened, the malware encrypts files, urging users to log onto a website on the Dark Web via Tor and pay a ransomware of one Bitcoin.

Carlsen speculated that a benevolent hacker has managed to gain control of the command and control server used by Locky to replace the file.

“It seems that someone was able to access one of the command and control servers and replaced the original Locky ransomware with a dummy file. And I do mean dummy in the fullest expression of the word,” said Carlsen. “Now, I don't believe that cyber-criminals themselves would have initiated this operation because of the potential damage to their reputation and income stream.”

Carlsen warned that the malware is far from dead and the cyber-criminals behind it are still active.

“But after the examples of Dridex and now Locky, it shows that even cyber-criminals, masters of camouflage, are also vulnerable,” he added.

Fraser Kyne, regional SE director at Bromium, told SCMagazineUK.com that the incident is interesting from a conceptual perspective, and certainly quite funny.

“The question of ‘Should the industry discourage this type of vigilante action?' is irrelevant. How could it? One thing is certain: the attackers will morph their tech to work around this. Ransomware is big business. “

“You could certainly argue that this small action has done a job of protection the individuals and businesses who would otherwise been impacted by this particular strain of malware. However, in general I'd rather people were spending their efforts proactively stopping malware, rather than reactively mocking malware,” said Kyne.

Carl Herberger, vice president of security solutions at Radware told SC that companies are deploying more and more defences and the idea of counter-hacking or ‘hack backs' are gaining both traction and acceptance.    

“Having said that, much like modern day warfare, the long term efficacy of some of these approaches must start to be evaluated as not all forms of hacking back are either desirable or lead to the intended results of neutralising the threat as, in this case, it can often be viewed as ‘taunting' and planting seeds for future retaliation,” he added.

Aftab Afzal, SVP & GM EMEA at Nsfocus, told SC that hackers are normally highly paranoid, and take many measures to conceal their own identities and are serious about their security. “However, they typically rely on using compromised machines to launch their services and this in itself leaves them vulnerable.”