Dridex botnet hacked, delivers dummy file

Someone is toying with the Dridex botmasters. The botnet, or at least one or more of its subnets that are sending out spam email delivering Locky ransomware, has been compromised again, and has been distributing a dummy file instead of the malware.

It could be white hats, or rival cyber criminals, but the message is clear – the payload, a 12kb binary, carries two simple words: “Stupid Locky.”

The dummy file doesn’t do anything, because it can’t.

The compromise of the server(s) hosting the malicious payload has been spotted by Avira researchers, after they received a typical email carrying a JavaScript attachment whose purpose is to download the malware.

“I don’t believe that cybercriminals themselves would have initiated this operation because of the potential damage to their reputation and income stream,” Avira researcher Sven Carlsen commented.

“But after the examples of Dridex [Earlier this year someone hijacked the Dridex botnet to deliver Avira AV’s installer] and now Locky, it shows that even cybercriminals, masters of camouflage, are also vulnerable.”

The Dridex botnet received that name because it initially delivered the Dridex malware exclusively. In February 2016, though, one of its subnets began sending out spam email delivering the Bartallex downloader, which then downloaded the Locky crypto ransomware.

After CryptoWall, Locky is the most prevalent ransomware at the moment.

Unfortunately for those who were infected with the real thing, there is no way to decrypt the files it encrypts – apart from paying the ransom and hoping that the received key will do it.

Victims who are loathe to do that can also save the encrypted files and hope that someday someone will come up with a decryption tool.