Attacks Increased By Locky Ransomware, Spoofs Dropbox

Locky ransomware has been on a wild spree in the past weeks, trying new ways of achieving even higher infections rates. This Ransomware focused on changing tactics and experimenting with new extensions or new baits to get users to click.

In their latest, the cyber attackers behind the notorious ransomware strain currently on the market have decided to resort to spoofing Dropbox.

Here is what the deceptive email looks like as opposed to the legitimate one:

Fake dropbox image


Real Dropbox Image

Courtesy: Heimdal Security

As you can see, the two are somewhat similar, so it would be quite difficult for the untrained user to spot the suspicious elements. We believe this campaign can have a considerable impact on potential victims.

Add this to the fact that it’s sent on a Friday when people are usually tired and less attentive and cyber criminals have a recipe for success.

If a potential victim misses or ignores the warning signs that the email shouldn’t be trusted and clicks, the link on “verify your email” will redirect the user’s traffic to a batch of compromised web pages.

Here is a selection of these pages, sanitized for your protection:

http: // Dar-alataa [.] com / dropbox.html
http: // melting-paw [.] com / dropbox.html
http: // flooringforyou [.] co [.] uk / dropbox.html
http: // Fachwerkhaus [.] ws / dropbox.html
http: // binarycousins [.] com / dropbox.html
http: // bayimpex [.] BE / dropbox.html
http: // arthur dennis williams [.] com / dropbox.html
http: // jakuboweb [.] com / dropbox.html
http: // busad [.] com / dropbox.html
http: // ambrogiauto [.] com / dropbox.html

These pages and the rest of the ones included in the batch include malicious Javascript code that connects to the following domain:

http: // dippydado [.] net / json.php

This domain, in turn, directs traffic to:

http: // geocean [.] co [.] ID / 657erikftgvb
http: // gtdban [.] net / p66 / 657erikftgvb
http: // givensplace [.] com / 657erikftgvb

The payload is XORd with the key “84fb8955ed14d24e14534c24c76810db” in order to enable the strain to bypass different gateway scanners.

The user will end up with his/her data encrypted, not only locally, but also on other drives connected to the same network. The extension used is .lukitus, which first emerged last month (August 2017).

Current Command and Control servers include:

http: // fqtsqwhqdcjsn [.] pw / imageload.cgi
http: // btvcvfekgnnct [.] biz / imageload.cgi
http: // meklyxcoteyewsx [.] ru / imageload.cgi
http: // asonqpakatx [.] work / imageload.cgi

Another issue with this campaign is the fact that it achieves a very low detection rate from 3 to 18 till the time this article has been published Currently, only 18/58 on VirusTotal.

VirusTotal Image

Courtesy: VirusTotal

Past week has not been kind to Internet users, as Locky campaigns piled up and data dump of over 700 million email addresses (and their passwords) made its way into the hands of cyber criminals.

Cyber security researchers have yet to crack Locky and find a free decryption key for it, as they did for these other ransomware strains.

Keep safe!

Subscribe our Youtube Channel

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Welcome to Defenx Solution

If you need any info or details please do connect with us through any medium below. We will try to get in touch with you as early as possible.

Contact Form

or reach me via these social channels

Contact Us