Necurs botnet is back and starts delivering the Locky ransomware

Cisco Security Team has noticed traces of traffic from the dormant Necurs botnet and they are warning of a possible new massive ransomware spam campaign.

Security researchers at Cisco Security Team have noticed traces of traffic from the dormant Necurs botnet and they are warning of a possible new massive ransomware spam campaign.

“The research from Talos shows that Locky spam activity has picked up again, but not nearly the volumes seen previously. “A couple of days ago we finally started seeing some spam campaigns start delivering Locky again,” the researchers wrote. “The key difference here is around volume. We typically would see hundreds of thousands ” reads a post published by Cisco.

At the time I was writing, experts just found fewer than a thousand Necurs spam messages, but the situation could rapidly degenerate. The Necurs Botnet, one of the world’s largest malicious architecture, was used to spread the Dridex banking malware and the dreaded Locky ransomware, it has vanished since June 1.

On October 2015, an international joint effort of law enforcement agencies, including the FBI and the NCA, destroyed the botnet, but it resurrected after and was used to mainly spread the Locky ransomware.

Now the Necrus botnet was being used by crooks to deliver the Locky ransomware, the overall number of attacks has quietly increased over the last week.

“Since late December we haven’t seen the typical volume of Locky, however, a couple of days ago we finally started seeing some spam campaigns start delivering Locky again,” Cisco’s researchers explained.

“The key difference here is around volume. We typically would see hundreds of thousands of Locky spam, [and now] we are currently seeing campaigns with less than a thousand messages.

“With both of these campaigns being relatively low volume these could be one offs or indicators of changes to come to the campaigns in the future.”

The researchers at the Talos team have observed two specific campaigns that are a little different than what they have seen before. One of the new campaigns delivers a malicious dropper inside a zip file that is delivered via spam email messages. Once opened, the JSE file is able to download two pieces of malware, the Locky ransomware and the Kovter Trojan.

A second campaign leverages on RAR files instead of the common zip archives. If the user extracts the archive they find a js file, doc_details.js.

“Crimeware is a lucrative endeavor with revenue rapidly approaching a billion dollars annually,” Cisco added. “This doesn’t come without significant risk and we may be entering a period where adversaries are increasingly cashing out from this activity early, to avoid severe penalties.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Necurs botnet, Locky)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.