Locky Ransomware being Distributed through Fake Flash Player Update Sites

Fake Flash Player update sites have long been a favorite distribution method for adware and other unwanted programs. Today, a fake Flash update site was discovered by ExecuteMalware that is pushing the Locky ransomware.  When someone visits the site they will be presented with a page that states that Flash Player is out of date and then automatically downloads an executable. If you look carefully at the URL in the browser's address you can see that the domain of fleshupdate.com does not seem to  be spelled right.

The executable automatically downloaded by this site is named FlashPlayer.exe and includes a flash player icon as seen below.

If you look at the properties of this file, though, things start to look strange.

Ultimately, if a user runs this program thinking that Flash will be updated they will be in for a big surprise. Instead of a flash player update, they will ultimately be shown a Locky ransom note when the ransomware has finished encrypting the victim's files.

The LockyDump information for the variant I tested is below. MalwareHunterTeam also saw a sample using an affiliate ID of 19, which as far as we know has not been previously seen.

Verbose: 0
The file is a PE EXE
affilID: 13
Seed: 9841
Delay: 30
Persist Svchost: 0
Persist Registry: 0
Ignore Russian Machines: 1
CallbackPath: /message.php
C2Servers: 85.143.212.23,185.82.217.29,107.181.174.34
RsaKeyID: 85D
RsaKeySizeBytes: 114
Key Alg: A400
Key: RSA1
Key Bits: 2048
Key Exponent: 10001

As you can see, it is not only attachments and exploit kits pushing ransomware.  Everyone needs to be vigilant and careful when browsing the web. Furthermore, program updates should only be downloaded from their main product sites rather than 3rd party sites where you have no idea what you are installing.

Stay Frosty!