Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Russian Cyber Mafia Is Back From Vacation With Smarter Locky Ransomware Strain

    Threatpost reported that the notorious Necurs botnet is back in business, after mysteriously going dark for nearly a month. Researchers report the Necurs has returned to spewing massive volumes of email containing an improved version of the potent Locky ransomware and the Dridex banking Trojan.

    According to Proofpoint which has been tracking Necurs, criminals behind the botnet began pushing out multimillion email message campaigns on Monday. This new activity is the first life Proofpoint has seen from the Necurs Botnet since it went dark on May 31.

    Necurs is widely believed to be one of the largest botnets (with 6.1 million bots) functioning and responsible for millions in dollar losses tied to ransomware and Dridex banking Trojan infections. 

    Here is how the email messages look: "Dear (random name): Please find attached our invoice for services rendered and additional disbursements in the above-mentioned matter. Hoping the above to your satisfaction, we remain. Sincerely, (random name and title). "

    Necurs Botnet with Locky Ransomware Email

    Proofpoint said the Locky campaigns included zip attachments containing JavaScript code, and the new loader component to Locky included new anti-analysis tricks. One of those tricks includes detecting whether or not it is running within a sandbox test environment versus a live infection. It does this via a complicated mathematical analysis measuring the time it take for the ransomware to execute API calls. “The malware compares the number of CPU cycles that it takes to execute certain Windows APIs. As you would expect, it takes more cycles in a VM environment to execute most Windows functions,” wrote Proofpoint.

    A second obfuscation technique includes what Epstein called a “tap dance within memory” for the cross-module execution of the Locky payload. Through a complex series of steps that include unpacking the Locky binary via RtlDecompressBuffer and overwriting the original loader image, attackers can relocate Locky instruction code in order to make manual analysis of memory dumps more difficult. Epstein says Proofpoint is already tracking an escalation of Locky campaigns since Necurs came back online. He estimates Necurs is pushing out 80 to 100 million email messages each day.

    Find out which of your users emails are exposed before the bad guys do.

    The Email Exposure Check is a one-time free service. We will email you back a report containing the list of exposed addresses and where we found them within 2 business days, or sooner! Start here:

    How Big Is My Phishing Attack Surface?

    Don't like to click on redirected buttons? Cut & Paste this link in your browser instead:

    https://www.knowbe4.com/email-exposure-check/

    (Hat Tip to Tom Spring at Kaspersky's Threatpost).

     

    Return To KnowBe4 Security Blog

    Topics: Ransomware

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews