Malware News Unbreakable Locky ransomware is on the march again

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Necrus botnet wakes up and starts fresh malware-cano

Cisco is warning of possible return of a massive ransomware spam campaign after researchers noticed traces of traffic from the hitherto dormant Necrus botnet.

The attacks are tiny: Cisco's security team has so far found fewer than a thousand Necrus spam messages.
Those numbers pale in comparison to attacks when Necrus' payload, Locky, first surfaced in early 2016, infecting hospitals across the US and Japan, and outpacing the Dridex banking trojan for email-borne malware.

But researchers warn it's entirely possible there's worse to come, because the infamous Necrus botnet once controlled nearly half a million machines devoted to pumping out spam. Many of the messages the network sent distributed the still-unbreakable Locky ransomware.

Researchers say attacks both from Necrus and delivering Locky have quietly increased over the last week.
"Since late December we haven't seen the typical volume of Locky, however, a couple of days ago we finally started seeing some spam campaigns start delivering Locky again," Cisco's researchers say.

"The key difference here is around volume. We typically would see hundreds of thousands of Locky spam, [and now] we are currently seeing campaigns with less than a thousand messages.

"With both of these campaigns being relatively low volume these could be one offs or indicators of changes to come to the campaigns in the future."

One of the attacks delivers Locky through a twice-zipped attachment in emails with no subject or body text.
Those who execute the malware will also receive the Kovter advertising click fraud trojan.

Malware writers seemed to remember to type something in their emails a day later as they sent fake transaction failure messages bearing a doc_details javascript file wrapped into a rar file.

"Crimeware is a lucrative endeavor with revenue rapidly approaching a billion dollars annually," Cisco's boffins say. "This doesn't come without significant risk and we may be entering a period where adversaries are increasingly cashing out from this activity early, to avoid severe penalties."
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top