Stupid Locky ! 15 mai
Si de nombreux journaux français ont informé leurs lecteurs des ravages du trojan crypto-rançonneur Locky tant qu’il a sévi sans difficultés, en revanche on ne trouve plus rien en français depuis qu’il ne fonctionne plus tout à fait comme au début.
Je vous propose donc ces articles en anglais en rappelant avoir reçu de mon spammeur fou pas moins de sept messages contenant cette saleté entre le 1er mars et le 5 avril 2016 (voir mes précédents articles à ce sujet, notamment celui du 25 avril dernier).
Je présume que ce malade avait lâché le pied sur ses messages habituels depuis février dernier du fait qu’il était très occupé à se faire du fric avec sa rutilante machine du nom de Locky, et qu’il recommence à me spammer comme auparavant depuis le 8 mai car son crypto-rançonneur est au garage pour y subir quelques transformations.
Par ailleurs, la période de février à avril 2015 durant laquelle il ne m’avait envoyé que deux de ses « spams » habituels correspond à celle où il s’excitait sur les statistiques de mes blogs Petitcoucou et Justinpetitcoucou après rétablissement complet du premier qui avait été suspendu trois semaines à compter du 6 janvier 2015.
http://www.theregister.co.uk/2016/05/05/locky_ramsomware_network_hacked/
Suck on this: White hats replace Locky malware payload with dummy
I expected a ransom note and all I got was this stupid Locky
Pranksters have infiltrated the control system behind the infamous Locky ransomware and replaced the malware’s main payload with a dummy file.
Locky normally spreads using malicious and disguised JavaScript inside email attachments supposedly containing an invoice or similar. Malicious messages are sent to prospective marks in spam runs.
Those on Windows machines who open the malicious attachment are likely to become infected, a process that results in user files getting encrypted. If this happens it’s normally impractical to recover scrambled files without paying crooks a fee in exchange for the private encryption key needed to recover compromised data.
The hack by as yet unidentified white hats meant that in place of the expected ransomware, “victims” were served with a 12kb binary with the plain message “Stupid Locky” that isn’t a valid executable, anti-virus firm Avira reports.
“It seems that someone was able to access one of the command and control servers and replaced the original Locky ransomware with a dummy file,” Sven Carlsen, a security team manager at Avira, explains in a blog post.
What happened is very unlikely to be anything more than a temporary snag for the cybercrooks behind Locky, even though it does suggest they’ve been a bit sloppy.
The whole incident is rare but far from unprecedented. For example, a white hack carried an similar attack against the Dridex banking trojan botnet back in February that saw the malicious payload removed and an Avira antivirus downloader added instead.
Miscreants behind the Dridex botnet recently switched from pushing trojans towards slinging variants of the Locky ransomware, so there may be elements of commonality between the two incidents.
Locky was recently rated as the second most prevalent form of ransomware, according to security appliance firm Fortinet. CryptoWall remains the most commonly encountered ransomware threat. ®
Locky ransomware bolsters encryption of communications with C&C servers
Locky ransomware has evolved into an even greater threat, after developers upgraded the malware to disguise its network traffic via a combination of symmetric and asymmetric encryption.
In a move to obfuscate network traffic more effectively, Locky ransomware developers have recently upgraded the malware to communicate with its command and control server via both symmetric and asymmetric encryption, as opposed to custom encoding.
FireEye Labs, the research division of FireEye, detailed this new development in Locky’s evolution in a blog post. While observing recent samples of the malware, FireEye found that when Locky contacts the control server to obtain a public key for encrypting a victim’s files, Locky initially generates AES (Advanced Encryption Standard) keys and encrypts its plain text request, and then subsequently encrypts the AES keys.
“Locky has moved from using simple encoding to obfuscate its network traffic to a complex encryption algorithm using hardware instructions that are very hard to crack,” the researchers wrote.
http://www.myce.com/news/microsoft-removes-locky-kovter-malware-millions-windows-pcs-79397/
Microsoft removes Locky and Kovter malware from millions of Windows PCs
Posted 12 May 2016 21:01 CEST by Jan Willem Aldershoff
Microsoft has checked million of computers for the Locky and Kovter malware during the Patch Tuesday of this week. The company regularly performs these kind of checkups for which its Malicious Software Removal Tool (MSRT) is used. This tool is built into Windows and is able to detect and remove frequently discovered malware.
MSRT receives new malware-definitions each Patch Tuesday. This week these add detection for Locky and Kovter. Locky is considered a serious threat, recently Russian antivirus company Kaspersky Lab marked it as one of the biggest security threats of the first quarter of this year. Infections with Locky have been detected all over the world.
The ransomware is distributed through malicious macros in Office files. Once Locky infects the computer it encrypts all files and demands a ransom.
The other malware that is detected through this is update is Kovter, which performs click fraud on infected systems. This means the infected computers simulate clicks on advertisements which generates revenue that is paid to the cybercriminals behind the Kovter malware. This especially affects advertisers and advertising networks as they have to pay for the fake clicks that will never convert to sales.
Kovter is also distributed through malicious advertisements that tricks users into downloading an Adobe Flash Player update. The downloaded file isn’t an update but malware. The Kovter malware seems to be mainly infection computers in the United States. Hundreds of thousands of Windows computers have been attacked this way, according to Microsoft.
Microsoft especially added Kovter detection because the malware is hard to remove. The Redmond software giant hopes to have a bigger impact by adding support for removing Kovter to MSRT.