Gray Hat Hacker Compromises Locky Ransomware Botnet; Replaces Payload with Alert Message

In a reverse trend, malware botnets are being hacked that's becoming common practice. Recently, one well intended hacker victimized an entity distributing Locky ransomware and planted an alert message in the place of the malware's payload thus cautioning Internauts.

Similarly, one more such gray hat computer attacker fiddled with Locky ransomware's distribution, substituting its payload with certain missive intended for the public thus helping potential victims against viewing unknown documents.

The incident follows some 14 days after Avira the anti-virus firm posted that one unidentified perpetrator invaded one major C&C server and placed a code in Locky's place to present a missive reading "Stupid Locky."

Avira states a security researcher from its company encountered one strange malware the botnet produced that distributed spam containing Locky ransomware.

The file in the spam came zipped with certain JavaScript string, which on clicking downloaded Locky as well as ran it on the computer thereby encrypting its data folders.

This time, Paivi T researcher from F-Secure discovered that the file rather than download Locky pulled down some other content as well as executed it on the system. Softpedia.com posted this dated May 17, 2016.

Apparently somebody broke into the network distributing Locky while in the place of the malware's payload planted an innocuous file which displayed one simple popup alert to end-users against viewing e-mail attachments that potentially suspicious sources sent.

Again a blog post from F-Secure said that Paivi T member of the company's threat intelligence group found clues about a likewise hack wherein instead of the payload a message emerged telling the user that the current message was there as he had clicked on one malevolent file; therefore to remain safe he mustn't view unfamiliar e-mail attachment.

There was no indication from F-Secure about any linkage among the two breaches.

Another similar incident occurred prior to February 2015, when someone broke into the Dridex network-of-bots for serving Avira's AV downloader rather than the Dridex banker malware. Then followed in April 2016 when somebody after hacking the Locky botnet substituted the ransom software with one blank document which displayed the title "Stupid Locky."

» SPAMfighter News - 5/23/2016