Locky ransomware has been on a wild spree in the past weeks, trying new ways of achieving even higher infections rates. This Ransomware focused on changing tactics and experimenting with new extensions or new baits to get users to click.
In their latest, the cyber attackers behind the notorious ransomware strain currently on the market have decided to resort to spoofing Dropbox.
Here is what the deceptive email looks like as opposed to the legitimate one:
Courtesy: Heimdal Security
As you can see, the two are somewhat similar, so it would be quite difficult for the untrained user to spot the suspicious elements. We believe this campaign can have a considerable impact on potential victims.
Add this to the fact that it’s sent on a Friday when people are usually tired and less attentive and cyber criminals have a recipe for success.
If a potential victim misses or ignores the warning signs that the email shouldn’t be trusted and clicks, the link on “verify your email” will redirect the user’s traffic to a batch of compromised web pages.
Here is a selection of these pages, sanitized for your protection:
http: // Dar-alataa [.] com / dropbox.html
http: // melting-paw [.] com / dropbox.html
http: // flooringforyou [.] co [.] uk / dropbox.html
http: // Fachwerkhaus [.] ws / dropbox.html
http: // binarycousins [.] com / dropbox.html
http: // bayimpex [.] BE / dropbox.html
http: // arthur dennis williams [.] com / dropbox.html
http: // jakuboweb [.] com / dropbox.html
http: // busad [.] com / dropbox.html
http: // ambrogiauto [.] com / dropbox.html
http: // dippydado [.] net / json.php
This domain, in turn, directs traffic to:
http: // geocean [.] co [.] ID / 657erikftgvb
http: // gtdban [.] net / p66 / 657erikftgvb
http: // givensplace [.] com / 657erikftgvb
The payload is XORd with the key “84fb8955ed14d24e14534c24c76810db” in order to enable the strain to bypass different gateway scanners.
The user will end up with his/her data encrypted, not only locally, but also on other drives connected to the same network. The extension used is .lukitus, which first emerged last month (August 2017).
Current Command and Control servers include:
http: // fqtsqwhqdcjsn [.] pw / imageload.cgi
http: // btvcvfekgnnct [.] biz / imageload.cgi
http: // meklyxcoteyewsx [.] ru / imageload.cgi
http: // asonqpakatx [.] work / imageload.cgi
Another issue with this campaign is the fact that it achieves a very low detection rate from 3 to 18 till the time this article has been published Currently, only 18/58 on VirusTotal.
Past week has not been kind to Internet users, as Locky campaigns piled up and data dump of over 700 million email addresses (and their passwords) made its way into the hands of cyber criminals.
Cyber security researchers have yet to crack Locky and find a free decryption key for it, as they did for these other ransomware strains.