Le trojan crypto-rançonneur Locky s’est évanoui le 1er juin 2016 ! 13 juin
L’information est disponible en anglais et en allemand depuis le 8 juin 2016, et comme d’habitude, pour l’avoir en français, il va falloir s’armer de patience…
La nouvelle est pourtant d’importance : toutes les infrastructures du trojan crypto-rançonneur Locky ont disparu depuis le 1er juin 2016, sans que les divers observateurs de son activité criminelle ne sachent pourquoi.
Si la saleté ne fait donc plus de victimes depuis cette date, cela n’arrange pas forcément tous ceux dont les fichiers cryptés le resteront peut-être à jamais, faute pour eux de pouvoir payer la rançon et les récupérer.
Je rappelle avoir reçu une huitième et dernière fois un spam muni de la pièce jointe vicieuse la veille, 31 mai 2016, comme je l’avais dit sur ce blog dans un article du même jour.
Comme pour ses précédentes intrusions dans ma messagerie, j’avais affiché le message reçu, une partie de son code source et sa provenance, qui était celle-ci, en Inde, pays d’adoption du cyberdélinquant et malade mental extrêmement dangereux Pascal Edouard Cyprien Luraghi :
IP-Adresse: | 103.248.32.162 | |
Provider: | Realtel Network Services Pvt |
Pays : Inde
Or, dans la soirée, ledit pirate informatique, qui s’épanchait comme il le fait très souvent avec de ses amis « déconnologues » sur le site Rue89 dont ils squattent l’espace des commentaires pour leurs affaires personnelles depuis maintenant huit ans, avait brutalement interrompu toute discussion avec ce très bref message (voir mes publications du vendredi 3 juin 2016) :
Il semblerait donc qu’il ait eu subitement un souci quelconque.
Puis toutes les infrastructures du trojan crypto-rançonneur Locky ont mystérieusement disparu.
http://motherboard.vice.com/read/one-of-the-worlds-largest-botnets-has-vanished
One of the World’s Largest Botnets Has Vanished
Joseph Cox
Contributor
June 8, 2016 // 12:45 PM EST
With no warning, one of the world’s largest criminal botnets—a massive collection of computers used to launch attacks—has disappeared. Researchers have reported huge drops in traffic for two of the most popular pieces of malware which rely on it.
“We can only tell that the Dridex and Locky spam campaigns stopped since June 1 in our observation. We cannot confirm how the botnet was brought down yet,” Joonho Sa, a researcher for cybersecurity company FireEye, told Motherboard in an email.
Dridex is a piece of malware typically used to empty bank accounts, while Locky is a particularly widespread form of ransomware, which encrypts a victim’s files until they pay a hefty bounty in bitcoin. The two campaigns have been linked in the past.
It’s not clear what exactly will happen to Locky victims now that its infrastructure has seemingly gone offline. There’s a chance that those infected with the ransomware may be unable to successfully pay the criminals and have their files unlocked.
Back when Locky was launched in February of this year, security researcher Kevin Beaumont wrote, “The deployment of Locky was a masterpiece of criminality—the infrastructure is highly developed, it was tested in the wild on a small scale on Monday (ransomware beta testing, basically), and the ransomware is translated into many languages. In short, this was well planned.”
In October 2015, the FBI, UK’s National Crime Agency and other law enforcement agencies disrupted the Dridex malware, but that didn’t stop it.
After the botnet, called Necurs, vanished, Beaumont told Motherboard in a Twitter message, “We’ve seen a huge decrease in malicious traffic since. Locky has completely disappeared,” and added that no new command and control servers—which hackers use to keep tabs on and direct their botnet—have popped up since. Beaumont claimed Necurs was the world’s largest botnet.
There is only circumstantial evidence that may point to why the botnet has vanished. On June 1, the same day FireEye and Beaumont reported a large dip in malicious traffic, Russia’s FSB security service said it had arrested a gang of around 50 hackers, Reuters reported. Those hackers had stolen over 1.7 billion roubles ($25.33 million) from Russian institutions and banks, and used a trojan called Lurk.
Group-IB, a Russian cybersecurity firm that works with law enforcement, doesn’t think there’s a link with the arrests though.
“We don’t see any connection between Necurs Botnet going down and recent arrests in Russia. The arrests of 50 hackers were made in connection to the Lurk group, and that particular group only targeted Russian and Ukrainian banks in their fraudulent activity,” Nikolay Grunin, PR manager for Group-IB told Motherboard in an email.
For the time being, why exactly Necurs disappeared remains a mystery.
Correction: Due to an email mixup, this story originally attributed a quote from FireEye’s Joonho Sa to Sarah Coutermarsh, a FireEye spokesperson who had actually forwarded the statement.
J’ai à faire. À plus…