January 23, 2017
Necrus botnet wakes up and starts fresh malware-cano
Cisco is warning of possible return of a massive ransomware spam campaign after researchers noticed traces of traffic from the hitherto dormant Necrus botnet.
The attacks are tiny: Cisco's security team has so far found fewer than a thousand Necrus spam messages.
Those numbers pale in comparison to attacks when Necrus' payload, Locky, first surfaced in early 2016, infecting hospitals across the US and Japan, and outpacing the Dridex banking trojan for email-borne malware.
But researchers warn it's entirely possible there's worse to come, because the infamous Necrus botnet once controlled nearly half a million machines devoted to pumping out spam. Many of the messages the network sent distributed the still-unbreakable Locky ransomware.
Researchers say attacks both from Necrus and delivering Locky have quietly increased over the last week.
"Since late December we haven't seen the typical volume of Locky, however, a couple of days ago we finally started seeing some spam campaigns start delivering Locky again," Cisco's researchers say.
"The key difference here is around volume. We typically would see hundreds of thousands of Locky spam, [and now] we are currently seeing campaigns with less than a thousand messages.
"With both of these campaigns being relatively low volume these could be one offs or indicators of changes to come to the campaigns in the future."
One of the attacks delivers Locky through a twice-zipped attachment in emails with no subject or body text.
Those who execute the malware will also receive the Kovter advertising click fraud trojan.
"Crimeware is a lucrative endeavor with revenue rapidly approaching a billion dollars annually," Cisco's boffins say. "This doesn't come without significant risk and we may be entering a period where adversaries are increasingly cashing out from this activity early, to avoid severe penalties."