Many ransomware gangs rely on help from other members of the cybercrime ecosystem to distribute their malware, and when those connections don’t hold up, it can cause serious problems. That’s what’s happened to the Locky ransomware in the last few weeks, as its main distribution mechanism, the Necurs botnet, has disappeared.
The botnet has been distributing both Locky and the Dridex malware for about a year through millions of spam messages. The emails take a lot of different forms and come with different kinds of attachments, often zip archives. At the end of December, the Necurs botnet suddenly dropped off the map and stopped sending its normal high volume of spam. That dead period has continued into January, with the botnet sending less than a thousand spam emails a day.
Researchers have identified two separate Locky campaigns currently going on that are sending low volumes of spam but with some interesting features. One of the campaigns is sending blank emails that just contain a zip attachment.
“This resulted in two payloads being delivered to the system, Kovter Trojan and Locky ransomware. Kovter is primarily used in click-fraud campaigns and would continue to operate on the system after the user pays to have their files decrypted,” Biasini said.
The other campaign that’s showed up in recent days uses emails that have text indicating a failed financial transaction as a lure for victims. The attachments are RAR files, which are less common that the zip archives, but are still familiar tools for malware gangs. This campaign also uses a Python user agent, which is atypical.
“Regardless of the campaign the results are the same, with the OSIRIS variant of Locky being delivered on to end systems. These are some of the first spam campaigns we have seen delivering Locky since before the Christmas break and could be indicators of things to come. Locky appears to still be distributed through other means, such as exploit kits, but the spam volume is drastically lower than it was a few short weeks ago,” Biasini said.