Security researchers have discovered that white hat crusaders are substituting versions of ransomware with dummy files.
Avira security expert, Sven Carlsen, explained in a blog post this week that his team discovered the unlikely campaign after downloading a version of what it thought was the Locky ransomware.
“But in place of the expected ransomware, we downloaded a 12kb binary with the plain message ‘Stupid Locky’,” he claimed.
“It seems that someone was able to access one of the command and control servers and replaced the original Locky ransomware with a dummy file. And I do mean dummy in the fullest expression of the word.”
The malware itself is typically hidden inside a malicious email attachment masquerading as an invoice, with users tricked into starting the infection process via classic social engineering.
“The JavaScript inside the attachment is usually obfuscated which means the real content isn’t visible or understandable for the reader,” Carlsen explained.
“Within the JavaScript itself is a domain generation algorithm for connecting and downloading the original Locky ransomware from the criminals’ server. Additionally, the downloader directs where the malicious files have to be copied to within the infected system as well as executes the downloaded file.”
The news is somewhat heartening given the soaring rate of ransomware infections currently underway, although it represents just a drop in the ocean in terms of a fightback.
Kaspersky Lab this week claimed ransomware infections soared by 14% in the first three months of the year, with the number of victims climbing by 30%.
That said, the Locky case calls to mind a similar previous incident in February, when the Dridex botnet was hijacked.
In that case, malicious links were replaced by installers for Avira Antivirus.
Dridex is among the most widespread banking malware bots around.
Previous to that, the Avira installer has been added to CryptoLocker and Tesla ransomware, although it’s unclear whether the incidents are connected.