{"id":83622,"date":"2016-11-23T18:46:15","date_gmt":"2016-11-23T13:16:15","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=83622"},"modified":"2016-11-24T12:17:34","modified_gmt":"2016-11-24T06:47:34","slug":"alert-fake-flash-player-website-spreading-locky-ransomware","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/alert-fake-flash-player-website-spreading-locky-ransomware\/","title":{"rendered":"Alert! A Fake Flash Player Website is Spreading Locky Ransomware"},"content":{"rendered":"

The Locky ransomware, like all other ransomware, encrypts user data and demands a hefty ransom in exchange for the key that decrypts the data.<\/p>\n

A variant of this ransomware called ‘thor’ was recently found being distributed via a fake ‘Flash Player Update’ downloading website that goes by the name ‘fleshupdate.com’. The distribution of unwanted software and PUAs through such fake updates has been reported on several other occasions earlier as well. This distribution technique only goes to show how attackers are trying hard to maximize their target area. If you notice, the word \u2018flash\u2019 has been wrongly spelled in the domain name – ‘fle<\/strong>shupdate.com’<\/em>.<\/p>\n

What happens when a user visits this fake website?
\n<\/strong>When a user lands on this website, they are greeted by a fake web page stating ‘Your Flash Player may be out of date’. To a normal, unsuspecting user, this web page will look exactly like the real Adobe site.<\/p>\n

\"fake-flash-player-web-page\"<\/p>\n

Fig 1. Fake Flash Player web page<\/p>\n

Almost instantly, the fake page gets automatically redirected to a malicious URL (highlighted below), which then begins downloading the Locky ransomware variant on the user\u2019s computer.<\/p>\n

\"malicious-locky-executable-download-url\"Fig 2. Malicious Locky executable download URL<\/p>\n

The malicious executable file is downloaded with the name ‘FlashPlayer.exe’ and carries the icon of the genuine Flash Player to fool the user.<\/p>\n

\"malicious-executable-file-with-flash-player-icon\"<\/p>\n

Fig 3. Malicious executable file with the Flash Player icon<\/p>\n

Noticing the harmless-looking icon, when the unsuspecting user considers this file as a genuine one and runs it, the ransomware starts scanning the infected computer for file types that it supports and encrypts them. The malware adds the ‘.thor’ extension to the encrypted files and this is followed by the ransom note.<\/p>\n

\"encrypted-files-with-thor-extension\"<\/p>\n

Fig 4. Encrypted files with \u2018.thor\u2019 extension<\/p>\n

How Quick Heal helps?<\/strong><\/p>\n

Quick Heal\u2019s inbuilt Browser Protection<\/strong> proactively blocks access to malicious URLs\/websites that can trigger the download of ransomware and other malware on your computer; in this case, it blocked the URL \u2018fleshupdate.com\/dow7878nload\/flashplayer.exe’<\/p>\n

\"browsing-protection\"Fig 5. Quick Heal Browsing Protection Alert<\/p>\n

Quick Heal proactively detects the malicious component as ‘TrojanRansom.Locky’.<\/p>\n

\"quick-heal-virus-protection-alert\"<\/p>\n

Fig 6. Quick Heal Virus Protection Alert<\/p>\n

How to stay safe against ransomware attacks<\/strong><\/p>\n