In the last months, we have read a lot of news regarding the activities on one of the largest botnet in the wild that was used by crooks to deliver the Dridex banking malware and the dreaded Locky ransomware, but now many security experts wonder about its end.
The botnet used to spread the dreaded threats appears to have vanished since June 1, security experts from FireEye have observed a drastic drop in the malicious traffic linked to the botnet activity.
“We can only tell that the Dridex and Locky spam campaigns stopped since June 1 in our observation. We cannot confirm how the botnet was brought down yet,” Joonho Sa, a researcher for FireEye confirmed to Motherboard.
When it was first spotted earlier 2015, the experts classified the malicious infrastructure used to spread the threat as high-complex and efficient, “a masterpiece of criminality.”
On October 2015, an international joint effort of law enforcement agencies, including the FBI and the NCA, destroyed the botnet, but it resurrected after and was used to mainly spread the Locky ransomware. Experts called it Necurs and confirmed it was the world’s largest botnet.
Now the experts have assisted to the drop of its activities, and the entire network was no more changed.
“We’ve seen a huge decrease in malicious traffic since. Locky has completely disappeared”
Necurs was the world’s largest botnet. If you saw most malicious traffic drop off your firewall 1st June… pic.twitter.com/cFX8ZiQjly
— Kevin Beaumont (@GossiTheDog) 6 giugno 2016
Necurs was used mainly to deliver the Locky ransomware, its inactivity could be the evidence that the gangs behind the threat stopped working, this means that it was also impossible for the victims to rescue their file by paying a ransom.
One hypothesis is that the 50 members of the Russian gang arrested by the Russian FSB security service on June 1 are the same operators behind the Necurs botnet.
“Russia’s FSB security service said on Wednesday it had helped detain a gang of about 50 hackers who stole over 1.7 billion roubles ($25.33 million) from the accounts of various Russian financial institutions.” reported the Reuters Agency.
The motherboard also reported the comment by experts from the Russian cybersecurity firm Group-IB that considers the arrests not linked to the activity of the Necurs Botnet.
(Security Affairs – Necurs Botnet, cybercrime)