Necurs Botnet is at it again – spreads a new Locky Campaign!

After having a break for nearly a month, Necurs botnet has been spotted online again.

In the first week of June, the Necurs botnet mysteriously went offline, resulting in a significant drop in the notorious Dridex and Locky malware campaigns. The security researchers were quite surprised by that sudden decrease in activity at the time, moreover, they couldn’t find any specific reasons for the botnet to disappear. This is what Kevin Epstein, vice president of Threat Operations Center at Proofpoint said earlier this month regarding the Necurs “vanishing”: “We have no idea why Necurs stopped, but we theorize it may have had something to do with a glitch in the command-and-control function of the botnet.”

A massive botnet used to launch attacks has disappeared!

After this sudden decrease in ransomware activity, users probably thought that they could take a breath from all the malware infections, at least for a while. However, the Locky and Dridex threats were quickly replaced by the no less dangerous CryptXXX and Crysis Ransomware. But it looks like the hackers behind Necurs had no intentions to shut down the botnet and stop spreading their malware, like the crooks behind TeslaCrypt did.

After having a break for nearly a month, Necurs botnet has been spotted online again. This Monday, security researchers from ProofPoint noticed a new boost in its activity. According to their observations, an improved version of Locky is spreading again with a freshly loaded multi-million email campaign powered by the Necurs botnet. It seems like other malware infections would have to wait a bit before they could think of replacing this notorious ransomware.

Here is what Proofpoint outlined in their new Necurs analysis:
“Analysis of the sending IPs associated with this campaign suggest that the Necurs spam cannon is functional again and, unfortunately, we expect both Dridex and Locky email campaigns to begin again in earnest.”

Necurs botnet is powering some of the most active online infections – the Dridex banking Trojan and the Locky Ransomware. Necurs is believed to implement of about 6.1 million bots, which places it among the largest botnets in the world. Necurs’ malicious activities are responsible for the spreading of numerous infections worldwide resulting in the losses of millions of dollars for the business owners and the random online users.

According to some fresh observations, the new malicious e-mails contain the following message:
“Dear (random name): Please find attached our invoice for services rendered and additional disbursements in the above-mentioned matter. Hoping the above to your satisfaction, we remain. Sincerely, (random name and title)”.  A zip file containing a JavaScript code that executes the malware could be found as an attachment. Researchers have also detected that the updated Locky version includes more sophisticated anti-analysis tricks.

How to Decrypt Ransomware

The escalation of the new Locky email campaign is being closely observed. As per some rough estimations, Necurs is spreading out somewhere in the vicinity of 80 to 100 million email messages per day. In order to avoid interaction with infected files, users are advised not to open suspicious emails and to protect their devices with proper anti-malware software.