A million emails per day. That’s how much spam Bitdefender has seen starting the 21st June, in a massive campaign spreading the infamous Locky ransomware.
After weeks of silence, we’ve seen a sudden spike in ransomware-infected emails,” Adrian Miron, Antispam researcher says. “We believe this may be linked with the re-emergence of Necurs”.
The Necurs botnet, one of the largest and most resilient criminal botnets out there, has reportedly made a comeback with an enhanced version of Locky ransomware, among other threats.
Necurs is a peer-to-peer hybrid botnet totaling about 1,700,000 infected computers. Until June 1st, it was one of the most active botnets, with millions of bots serving large volumes of spam emails. But around May 31st, the Necurs C&C servers went offline and traffic dropped significantly.
“We’ve seen a huge decrease in malicious traffic since”, Motherboard wrote at the time. “Locky has completely disappeared.” Coincidentally, or not, in the same time, Russia’s FSB security service said it had arrested a gang of around 50 hackers who had stolen over 1.7 billion roubles ($25.33 million) from Russian institutions and banks via the Lurk Trojan.
In late May, Locky added a new loader with new anti-analysis tricks, according to Proofpoint analysts. One of the techniques targets virtual machines (VMs) with poor maintenance of realistic processor timestamp counter values. The malware compares time spent loading certain Windows functions in the OS versus a virtual environment and thus, can identify whether it is running in a virtualized environment.
Bitedefender detects and blocks this threat as Gen:Variant.Locky.15.