Necurs botnet reappears with Locky ransomware

Malware-spreading botnet reactivated after weeks of silence

botnet

Security researchers have confirmed that one of the world's largest botnets has reactivated and resumed distributing Locky and Dridex malware payloads.

The Necurs botnet was shut down in early June, but appears to have returned.

"On the evidence of reused IP addresses, this campaign appears to be originating from the Necurs botnet," security company Proofpoint wrote in a blog post.

"As of the writing of this blog on 22 June, a second, much larger Locky campaign was underway, signaling a clear return of both Locky and the Necurs botnet."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The Necurs botnet is believed to be one of the biggest currently in operation, but on 1 June, Proofpoint noticed that activity around it sharply dropped off.

At the same time, campaigns of ransomware emails - which Proofpoint described as "among the largest we have ever observed" - also dropped substantially in volume.

This confirmed that the Necurs botnet was being used by cybercriminals as a ransomware delivery channel. As well as the Locky strain of ransomware, it was also used to distribute the Dridex banking trojan, which steals users' financial credentials.

After almost a month of inactivity, emails loaded with Locky and Dridex have begun to circulate again, which Proofpoint said suggests that "the Necurs spam cannon is functional again".

Even more worryingly, the Locky instances feature upgrades designed to thwart detection and analysis, introduced by the authors just before Necurs' outage. These include counting CPU cycles to identify virtual machines, Javascript obfuscation and obscuring loader details.

The volume of emails is just 10 per cent of the campaign's previous peak, but Proofpoint warned "unfortunately, we expect both Dridex and Locky email campaigns to begin again in earnest".

Advertisement - Article continues below

The reappearance comes in the wake of news that crypto-ransomware attacks - including attacks using malware like Locky - have risen more than 550 per cent over the last year.

Featured Resources

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

6 ways your business could suffer if you don’t backup Office 365

Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for good

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Visit/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers
Security

The top ten password-cracking techniques used by hackers

10 Feb 2020
Visit/security/cyber-security/354827/mcafee-researchers-trick-tesla-autopilot-with-a-strip-of-tape
cyber security

McAfee researchers trick Tesla autopilot with a strip of tape

21 Feb 2020