The Necurs Botnet, one of the world’s largest malicious architecture, used to spread the dreaded threats appears to have vanished since June 1.
In the last months, we have read a lot of news regarding the activities on one of the largest botnet in the wild that was used by crooks to deliver the Dridex banking malware and the dreaded Locky ransomware, but now many security experts wonder about its end.
The botnet used to spread the dreaded threats appears to have vanished since June 1, security experts from FireEye have observed a drastic drop in the malicious traffic linked to the botnet activity.
“We can only tell that the Dridex and Locky spam campaigns stopped since June 1 in our observation. We cannot confirm how the botnet was brought down yet,” Joonho Sa, a researcher for FireEye confirmed to Motherboard.
When it was first spotted earlier 2015, the experts classified the malicious infrastructure used to spread the threat as high-complex and efficient, “a masterpiece of criminality.”
On October 2015, an international joint effort of law enforcement agencies, including the FBI and the NCA, destroyed the botnet, but it resurrected after and was used to mainly spread the Locky ransomware. Experts called it Necurs and confirmed it was the world’s largest botnet.
Now the experts have assisted to the drop of its activities, and the entire network was no more changed.
“We’ve seen a huge decrease in malicious traffic since. Locky has completely disappeared”
Necurs was the world’s largest botnet. If you saw most malicious traffic drop off your firewall 1st June… pic.twitter.com/cFX8ZiQjly
Necurs was used mainly to deliver the Locky ransomware, its inactivity could be the evidence that the gangs behind the threat stopped working, this means that it was also impossible for the victims to rescue their file by paying a ransom.
One hypothesis is that the 50 members of the Russian gang arrested by the Russian FSB security service on June 1 are the same operators behind the Necurs botnet.
“Russia’s FSB security service said on Wednesday it had helped detain a gang of about 50 hackers who stole over 1.7 billion roubles ($25.33 million) from the accounts of various Russian financial institutions.” reported the Reuters Agency.
The motherboard also reported the comment by experts from the Russian cybersecurity firm Group-IB that considers the arrests not linked to the activity of the Necurs Botnet.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.