PINDROP BLOG

Decline of Necurs Botnet Hurts Locky Ransomware

Many ransomware gangs rely on help from other members of the cybercrime ecosystem to distribute their malware, and when those connections don’t hold up, it can cause serious problems. That’s what’s happened to the Locky ransomware in the last few weeks, as its main distribution mechanism, the Necurs botnet, has disappeared.

The botnet has been distributing both Locky and the Dridex malware for about a year through millions of spam messages. The emails take a lot of different forms and come with different kinds of attachments, often zip archives. At the end of December, the Necurs botnet suddenly dropped off the map and stopped sending its normal high volume of spam. That dead period has continued into January, with the botnet sending less than a thousand spam emails a day.

Researchers have identified two separate Locky campaigns currently going on that are sending low volumes of spam but with some interesting features. One of the campaigns is sending blank emails that just contain a zip attachment.

“When the attachment is extracted there is a second zip file inside, 71344395.doc.zip, and this zip file uses double extensions in hopes that a user would think it is a doc file. Inside of this zip file is another double extension file 71344395.doc.jse. This is the malicious javascript which pulls the payload leading to Locky. In this particular campaign there are multiple payloads,” Nick Biasini of Cisco’s Talos research team said in an analysis of the campaign.

When that Javascript file executes, it sends two GET requests to a remote server, which returns the two payloads.

“This resulted in two payloads being delivered to the system, Kovter Trojan and Locky ransomware. Kovter is primarily used in click-fraud campaigns and would continue to operate on the system after the user pays to have their files decrypted,” Biasini said.

The other campaign that’s showed up in recent days uses emails that have text indicating a failed financial transaction as a lure for victims. The attachments are RAR files, which are less common that the zip archives, but are still familiar tools for malware gangs. This campaign also uses a Python user agent, which is atypical.

“Regardless of the campaign the results are the same, with the OSIRIS variant of Locky being delivered on to end systems. These are some of the first spam campaigns we have seen delivering Locky since before the Christmas break and could be indicators of things to come. Locky appears to still be distributed through other means, such as exploit kits, but the spam volume is drastically lower than it was a few short weeks ago,” Biasini said.

Webinar: Call Center Fraud Vectors & Fraudsters Defeated