Locky developers employ fake Flash Player updates to infect more computers

Locky virus developers have always been in the leading role when it comes to making up ways to spread the malicious viruses around. This ransomware was one of the first viruses to employ major spam campaigns for its distribution and placement on the computers. Among its primary distributors was the infamous Necurs botnet which activity is now considered one of the main factors that influenced probably the biggest spike of spam emails since 2010. What is more, just recently, virus analysts have discovered that the virus developers are now turning to different exploit kits in order to deliver the virus to the target computers more easily. In particular, they have employed RIG-E exploit kit which was later applied in other virus versions including .Shit ransomware, ODIN, Thor and others. In fact, in the ransomware community, Locky has become a true trendsetter, so you can already find this exploit kit being used to disperse other cyber threats such as CryptoLuck and Cerber. Nevertheless, it seems that Locky ransomware creators are not only creating their own distribution techniques but learning from others as well.

Flash Player updates have always been the primary technique to spread potentially unwanted programs such as browser hijackers, adware, and other malware around. Other ransomware have used fake software updates as well, but Locky has turned to this technique just very recently. It might be related to the already mentioned use of the RIG exploit kit which opened new malware promotion possibilities. Now, the targeted users are redirected to a fake site fleshupdate.com which may feature a misspelled title but generally looks very legitimate. Once on the site, the fake FlashPlayer.exe file download initiates automatically and saves this suspicious file on the “Downloads” folder. If the user opens this file, the malicious Locky payload downloads the virus on the computer and begins data encryption. There is no turning back from this point on. Usually, the encryption is fast, so there is virtually no way of stopping the virus once it is running. It is only a matter of time when the ransom note shows up on the screen and demands you to pay money in exchange of files. If you are ever in a situation like this, disconnect your device from the network immediately and run a powerful antivirus software to detect and eliminate the virus. Maybe you will still manage to save at least some of your files. However, to ensure a real data protection, keep external backups and don’t forget to renew them regularly.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions