Security Alert: Locky Ransomware Changes Tactics, Spoofs Dropbox

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Locky ransomware has been on a wild distribution spree in the past weeks, trying new ways of achieving even higher infections rates. These experiments focus on changing tactics mid-game and experimenting with new extensions or new baits to get unsuspecting users to click.

In their latest spam run, the cyber attackers behind the most notorious ransomware strain currently on the market have decided to resort to spoofing Dropbox.

Here is what the deceptive email looks like as opposed to the legitimate one:

locky attack dropbox spoofing example

dropbox legitimate email verification example

As you can see, the two are fairly similar, so it would be quite difficult for the untrained user to spot the suspicious elements. This is why we believe this campaign can have a considerable impact on potential victims.

Add this to the fact that it’s sent on a Friday, when people are usually tired and less attentive and cyber criminals have a recipe for success.

is a compromise attempt during which an unauthorized individual tries to gain access to an information system by impersonating an authorized user.

Read more details in our Cyber Security Glossary.

If a potential victim misses or ignores the warning signs that the email shouldn’t be trusted and clicks, the link on “verify your email” will redirect the user’s traffic to a batch of compromised web pages.

Here is a selection of these pages, sanitized for your protection:

http: // Dar-alataa [.] com / dropbox.html
http: // melting-paw [.] com / dropbox.html
http: // flooringforyou [.] co [.] uk / dropbox.html
http: // Fachwerkhaus [.] ws / dropbox.html
http: // binarycousins ​​[.] com / dropbox.html
http: // bayimpex [.] BE / dropbox.html
http: // arthur dennis williams [.] com / dropbox.html
http: // jakuboweb [.] com / dropbox.html
http: // busad [.] com / dropbox.html
http: // ambrogiauto [.] com / dropbox.html

These pages and the rest of the ones included in the batch include malicious Javascript code that connects to the following domain:

http: // dippydado [.] net / json.php

This domain, in turn, directs traffic to:

http: // geocean [.] co [.] ID / 657erikftgvb
http: // gtdban [.] net / p66 / 657erikftgvb
http: // givensplace [.] com / 657erikftgvb

Would you be able to tell this is a fake email?

The payload is XORd with the key “84fb8955ed14d24e14534c24c76810db” in order to enable the strain to bypass different gateway scanners.

The inattentive user will end up with his/her data encrypted, not only locally, but also on other drives connected in the same network. The extension used is .lukitus, which first emerged last month (August 2017).

Current Command and Control servers include:

http: // fqtsqwhqdcjsn [.] pw / imageload.cgi
http: // btvcvfekgnnct [.] biz / imageload.cgi
http: // meklyxcoteyewsx [.] ru / imageload.cgi
http: // asonqpakatx [.] work / imageload.cgi

Another issue with this campaign is the fact that it achieves a very low detection rate: only 3/58 on VirusTotal.

virustotal detection rate - September 1 2017

This week has not been kind to Internet users, as Locky campaigns piled up and a historical data dump of over 700 million email addresses (and their passwords) made its way into the hands of cyber criminals.

Once again, we can’t help but suggest you take a few minutes to learn how ransomware works and what you can do to stay safe. It doesn’t that many resources (time and money-wise) to keep ransomware away, but those little steps can make the difference between a clean, safe device and a big headache.

This is especially true since cyber security researchers have yet to crack Locky and find a free decryption key for it, as they did for these other ransomware strains.

Keep safe!

*This article features cyber intelligence provided by CSIS Security Group researchers.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Heimdal Security
We protect users and companies from cyber-criminal actions, by keeping confidential information and intellectual property safe. We build products focused on proactive cyber security and we dedicate a big part of our efforts to cyber security education for everyone.
Promoted Content
Expert Roundup: Is Internet Security a Losing Battle?
A while ago, one of our readers asked us to answer the following questions: Is Internet security a losing battle? How come companies are always 1-2 steps behind the fight? How can the bad guys respond so fast?That reader is certainly not the only one with this issue on his mind. Many Internet users feel discouraged by the current state of cyber crime and its consequences, and the rest don’t yet understand why they should care about it. We wanted to do something to change this.Naturally, users like you and me are not the only ones who wrestle this dilemma. Within the industry, cyber security experts are deeply involved in studying the causes and changes which have brought us to this point so they can create better solutions. Each of these experts brings a different perspective to the discussion, because no single person can ever claim to have the full picture.That is why we reached out to some of the most experienced cyber security specialists in the field to gather their thoughts on the topic. We believe that the questions we received are justified and they deserve an honest answer. And you will find plenty of them in the article!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?