Necurs spam botnet is back to shipping out Locky ransomware, researchers said.
Last year, Necurs was the main reason behind Locky’s rise to the top of the ransomware charts, said reserchers at Cisco’s Talos.
Following a hiatus in early 2017, Necurs started back up in April, but distributed Locky only for a few weeks.
Starting May 12, the same day WannaCry made its first appearance, Necurs switched to distributing a new ransomware family called Jaff. There was a connection between Jaff and Locky.
Earlier this month, however, Kaspersky Lab security researchers discovered vulnerabilities in Jaff and created a decryptor for it, allowing victims to recover their data. Although three Jaff variants were observed to date, the decryption tool would work for all three of them.
The decryptor’s release apparently took Jaff out of the race, and Necurs returned to pushing Locky once again. The spam emails pushing the ransomware feature a double-zipped archive with an .exe file inside. Unlike previous Necurs-driven campaigns, which used themes such as order confirmations, payment receipts, and business documents, the new messages are fake invoices.
The newly observed campaign features a volume of spam: During the first hour, it accounted for 7 percent of the email volume registered by one of the company’s systems, Talos said. The volume has decreased, but the campaign continues to be active, Talos researchers said in a blog post.
The campaign uses the same affiliate ID as before, but the ransomware itself appears to have suffered a series of changes, one of which prevents it from encrypting data on systems running under operating systems more recent than Windows XP.