New massive spam wave spreads Locky - is Necurs botnet back?

A million emails per day. That’s how much spam Bitdefender has seen starting the 21^st June, in a massive campaign spreading the infamous Locky ransomware.

After weeks of silence, we’ve seen a sudden spike in ransomware-infected emails, Adrian Miron, Antispam researcher says. “We believe this may be linked with the re-emergence of Necurs”.

The Necurs botnet, one of the largest and most resilient criminal botnets out there, has reportedly made a comeback with an enhanced version of Locky ransomware, among other threats.

Necurs is a peer-to-peer hybrid botnet totaling about 1,700,000 infected computers. Until June 1^st, it was one of the most active botnets, with millions of bots serving large volumes of spam emails. But around May 31^st, the Necurs C&C servers went offline and traffic dropped significantly.

“We’ve seen a huge decrease in malicious traffic since”, Motherboard wrote at the time. “Locky has completely disappeared.” Coincidentally, or not, in the same time, Russia’s FSB security service said it had arrested a gang of around 50 hackers who had stolen over 1.7 billion roubles ($25.33 million) from Russian institutions and banks via the Lurk Trojan.

The bulk of emails identified by Bitdefender targets employees from various worldwide companies including construction companies, photo library sites and grocery stores. The messages pose as reports sent by the CEO and contain an attached .zip file which download a stealthier iteration of Locky. The payload is delivered via JavaScript attachments.

In late May, Locky added a new loader with new anti-analysis tricks, according to Proofpoint analysts. One of the techniques targets virtual machines (VMs) with poor maintenance of realistic processor timestamp counter values. The malware compares time spent loading certain Windows functions in the OS versus a virtual environment and thus, can identify whether it is running in a virtualized environment.

Bitedefender detects and blocks this threat as Gen:Variant.Locky.15.