Locky Returns via Necurs Botnet

Researchers from Cisco Talos have observed the first large scale Locky campaign in months via the Necurs botnet.

In a post on the firm’s website on Friday April 21, Nick Biasini explained that Talos had seen in excess of 35,000 emails in the space of several hours associated with this newest wave of Locky.

“This large wave of distribution has been attributed to the Necurs botnet which, until recently, had been focused on more traditional spam such as pump-and-dump spam, Russian dating spam, and work-from-home spam”, he wrote.

Locky was the dominant ransomware threat for the majority of 2016, but its distribution declined dramatically in the latter stages of last year.

“This could be the first significant wave of Locky distribution in 2017,” Biasini added. “The payload hasn't changed but the methodology has; the use of PDFs requiring user interaction was recently seen by Dridex and has now been co-opted into Locky. This is an effective technique to defeat sandboxes that do not allow user interaction and could increase the likelihood of it reaching an end user's mailbox.”

This latest Locky surge is proof that cyber-criminals continue to evolve and adapt their techniques for maximum impact and profit, and highlights the ever-changing threat of email based malware.

To conclude, Biasini pointed to the following as defences against this type of risk:
•    Advanced Malware Protection (AMP)
•    CWS or WSA web scanning
•    Email Security
•    The Network Security protection of IPS and NGFW
•    AMP Threat Grid
•    Umbrella, our secure internet gateway (SIG)

What’s Hot on Infosecurity Magazine?