Security researchers at Cisco Security Team have noticed traces of traffic from the dormant Necurs botnet and they are warning of a possible new massive ransomware spam campaign.
“The research from Talos shows that Locky spam activity has picked up again, but not nearly the volumes seen previously. “A couple of days ago we finally started seeing some spam campaigns start delivering Locky again,” the researchers wrote. “The key difference here is around volume. We typically would see hundreds of thousands ” reads a post published by Cisco.
At the time I was writing, experts just found fewer than a thousand Necurs spam messages, but the situation could rapidly degenerate. The Necurs Botnet, one of the world’s largest malicious architecture, was used to spread the Dridex banking malware and the dreaded Locky ransomware, it has vanished since June 1.
On October 2015, an international joint effort of law enforcement agencies, including the FBI and the NCA, destroyed the botnet, but it resurrected after and was used to mainly spread the Locky ransomware.
Now the Necrus botnet was being used by crooks to deliver the Locky ransomware, the overall number of attacks has quietly increased over the last week.
“Since late December we haven’t seen the typical volume of Locky, however, a couple of days ago we finally started seeing some spam campaigns start delivering Locky again,” Cisco’s researchers explained.
“The key difference here is around volume. We typically would see hundreds of thousands of Locky spam, [and now] we are currently seeing campaigns with less than a thousand messages.
“With both of these campaigns being relatively low volume these could be one offs or indicators of changes to come to the campaigns in the future.”
The researchers at the Talos team have observed two specific campaigns that are a little different than what they have seen before. One of the new campaigns delivers a malicious dropper inside a zip file that is delivered via spam email messages. Once opened, the JSE file is able to download two pieces of malware, the Locky ransomware and the Kovter Trojan.
A second campaign leverages on RAR files instead of the common zip archives. If the user extracts the archive they find a js file, doc_details.js.
“Crimeware is a lucrative endeavor with revenue rapidly approaching a billion dollars annually,” Cisco added. “This doesn’t come without significant risk and we may be entering a period where adversaries are increasingly cashing out from this activity early, to avoid severe penalties.”
(Security Affairs – Necurs botnet, Locky)