The Locky ransomware, like all other ransomware, encrypts user data and demands a hefty ransom in exchange for the key that decrypts the data.
A variant of this ransomware called ‘thor’ was recently found being distributed via a fake ‘Flash Player Update’ downloading website that goes by the name ‘fleshupdate.com’. The distribution of unwanted software and PUAs through such fake updates has been reported on several other occasions earlier as well. This distribution technique only goes to show how attackers are trying hard to maximize their target area. If you notice, the word ‘flash’ has been wrongly spelled in the domain name – ‘fleshupdate.com’.
What happens when a user visits this fake website?
When a user lands on this website, they are greeted by a fake web page stating ‘Your Flash Player may be out of date’. To a normal, unsuspecting user, this web page will look exactly like the real Adobe site.
Fig 1. Fake Flash Player web page
Almost instantly, the fake page gets automatically redirected to a malicious URL (highlighted below), which then begins downloading the Locky ransomware variant on the user’s computer.
Fig 2. Malicious Locky executable download URL
The malicious executable file is downloaded with the name ‘FlashPlayer.exe’ and carries the icon of the genuine Flash Player to fool the user.
Fig 3. Malicious executable file with the Flash Player icon
Noticing the harmless-looking icon, when the unsuspecting user considers this file as a genuine one and runs it, the ransomware starts scanning the infected computer for file types that it supports and encrypts them. The malware adds the ‘.thor’ extension to the encrypted files and this is followed by the ransom note.
Fig 4. Encrypted files with ‘.thor’ extension
How Quick Heal helps?
Quick Heal’s inbuilt Browser Protection proactively blocks access to malicious URLs/websites that can trigger the download of ransomware and other malware on your computer; in this case, it blocked the URL ‘fleshupdate.com/dow7878nload/flashplayer.exe’
Fig 5. Quick Heal Browsing Protection Alert
Quick Heal proactively detects the malicious component as ‘TrojanRansom.Locky’.
Fig 6. Quick Heal Virus Protection Alert
How to stay safe against ransomware attacks
Subject Matter Expert –
Prashil Moon (Threat Research and Response Team)