Cisco is warning of possible return of a massive ransomware spam campaign after researchers noticed traces of traffic from the hitherto dormant Necurs botnet.
The attacks are tiny: Cisco's security team has so far found fewer than a thousand Necurs spam messages.
Those numbers pale in comparison to attacks when Necurs' payload, Locky, first surfaced in early 2016, infecting hospitals across the US and Japan, and outpacing the Dridex banking trojan for email-borne malware.
But researchers warn it's entirely possible there's worse to come, because the infamous Necurs botnet once controlled nearly half a million machines devoted to pumping out spam. Many of the messages the network sent distributed the still-unbreakable Locky ransomware.
Researchers say attacks both from Necurs and delivering Locky have quietly increased over the last week.
"Since late December we haven't seen the typical volume of Locky, however, a couple of days ago we finally started seeing some spam campaigns start delivering Locky again," Cisco's researchers say.
"The key difference here is around volume. We typically would see hundreds of thousands of Locky spam, [and now] we are currently seeing campaigns with less than a thousand messages.
"With both of these campaigns being relatively low volume these could be one offs or indicators of changes to come to the campaigns in the future."
One of the attacks delivers Locky through a twice-zipped attachment in emails with no subject or body text.
Those who execute the malware will also receive the Kovter advertising click fraud trojan.
"Crimeware is a lucrative endeavor with revenue rapidly approaching a billion dollars annually," Cisco's boffins say. "This doesn't come without significant risk and we may be entering a period where adversaries are increasingly cashing out from this activity early, to avoid severe penalties." ®