This article is more than 1 year old

Unbreakable Locky ransomware is on the march again

Necurs botnet wakes up and starts fresh malware-cano

Cisco is warning of possible return of a massive ransomware spam campaign after researchers noticed traces of traffic from the hitherto dormant Necurs botnet.

The attacks are tiny: Cisco's security team has so far found fewer than a thousand Necurs spam messages.

Those numbers pale in comparison to attacks when Necurs' payload, Locky, first surfaced in early 2016, infecting hospitals across the US and Japan, and outpacing the Dridex banking trojan for email-borne malware.

But researchers warn it's entirely possible there's worse to come, because the infamous Necurs botnet once controlled nearly half a million machines devoted to pumping out spam. Many of the messages the network sent distributed the still-unbreakable Locky ransomware.

Researchers say attacks both from Necurs and delivering Locky have quietly increased over the last week.

"Since late December we haven't seen the typical volume of Locky, however, a couple of days ago we finally started seeing some spam campaigns start delivering Locky again," Cisco's researchers say.

"The key difference here is around volume. We typically would see hundreds of thousands of Locky spam, [and now] we are currently seeing campaigns with less than a thousand messages.

"With both of these campaigns being relatively low volume these could be one offs or indicators of changes to come to the campaigns in the future."

One of the attacks delivers Locky through a twice-zipped attachment in emails with no subject or body text.

Those who execute the malware will also receive the Kovter advertising click fraud trojan.

Malware writers seemed to remember to type something in their emails a day later as they sent fake transaction failure messages bearing a doc_details javascript file wrapped into a rar file.

"Crimeware is a lucrative endeavor with revenue rapidly approaching a billion dollars annually," Cisco's boffins say. "This doesn't come without significant risk and we may be entering a period where adversaries are increasingly cashing out from this activity early, to avoid severe penalties." ®

More about

More about

More about


Send us news

Other stories you might like