PSA Payload Via Hacked Locky Host

Earlier this month, researchers at Avira discovered a Locky crypto-ransomware distribution network that had been hacked by a grey hat. In an apparent effort to disrupt Locky, the hacker replaced the payload with a 12 byte text file – which contained the message “Stupid Locky”.

Today, Päivi, a researcher on our Threat Intelligence team discovered evidence of a similar grey hat hack… but with a new message.

Locky Payload Replaced - HTTP Capture

The JScript (.js) attachment tested by Päivi fetched this attempt at a public service announcement.

Locky Payload Replaced

Emails attachment? I get the sense this grey hat speaks English as a second language. But that’s okay, it’s a decent first attempt at a PSA. But a word of advice to whom it may concern…

Perhaps you could replace the biohazard symbol with something else, such as a peace sign? Panic doesn’t help educate people in the long run. And seeing a biohazard symbol is likely to induce panic rather than just grabbing your subject’s attention.

And you might be surprised how many people will not understand what a “malicious file” is – so perhaps consider something like:

You are reading this message because you clicked on a computer virus. But I (or is it we?) hacked them so they couldn’t hack you. You might not be so lucky next time. Be more careful in the future.

Articles with similar Tags