Necurs botnet reappears with Locky ransomware

Malware-spreading botnet reactivated after weeks of silence

botnet

Security researchers have confirmed that one of the world's largest botnets has reactivated and resumed distributing Locky and Dridex malware payloads.

The Necurs botnet was shut down in early June, but appears to have returned.

"On the evidence of reused IP addresses, this campaign appears to be originating from the Necurs botnet," security company Proofpoint wrote in a blog post.

"As of the writing of this blog on 22 June, a second, much larger Locky campaign was underway, signaling a clear return of both Locky and the Necurs botnet."

The Necurs botnet is believed to be one of the biggest currently in operation, but on 1 June, Proofpoint noticed that activity around it sharply dropped off.

At the same time, campaigns of ransomware emails - which Proofpoint described as "among the largest we have ever observed" - also dropped substantially in volume.

This confirmed that the Necurs botnet was being used by cybercriminals as a ransomware delivery channel. As well as the Locky strain of ransomware, it was also used to distribute the Dridex banking trojan, which steals users' financial credentials.

After almost a month of inactivity, emails loaded with Locky and Dridex have begun to circulate again, which Proofpoint said suggests that "the Necurs spam cannon is functional again".

Even more worryingly, the Locky instances feature upgrades designed to thwart detection and analysis, introduced by the authors just before Necurs' outage. These include counting CPU cycles to identify virtual machines, Javascript obfuscation and obscuring loader details.

The volume of emails is just 10 per cent of the campaign's previous peak, but Proofpoint warned "unfortunately, we expect both Dridex and Locky email campaigns to begin again in earnest".

The reappearance comes in the wake of news that crypto-ransomware attacks - including attacks using malware like Locky - have risen more than 550 per cent over the last year.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

Windows Server flaw sparks emergency US gov warning
vulnerability

Windows Server flaw sparks emergency US gov warning

21 Sep 2020
'Largest ever' Magecart hack compromises 2,000 online stores
hacking

'Largest ever' Magecart hack compromises 2,000 online stores

15 Sep 2020
Infocyte integrates with Palo Alto Networks Cortex XSOAR
cyber security

Infocyte integrates with Palo Alto Networks Cortex XSOAR

19 Aug 2020
Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020

Most Popular

Google Pixel 4a review: A picture-perfect package
Google Android

Google Pixel 4a review: A picture-perfect package

18 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020