Locky returns through new Necurs-powered spam campaigns

Ransom.Locky has returned after a month’s hiatus, with two new spam campaigns hinting at larger attacks to come. 

Cisco Talo s researcher Nick Biasini said that Locky’s typical volume dropped in late December. However, earlier this week, two spam campaigns started spreading the ransomware again. The Backdoor.Necurs botnet appears to be behind these campaigns, though it is sending fewer emails than before. “We typically would see hundreds of thousands of Locky spam, we are currently seeing campaigns with less than a thousand messages,” said Biasini.

The first campaign sends a blank email with a .zip attachment. The embedded file poses as a Word document, but is actually malicious JavaScript which delivers Locky and the click-fraud threat Trojan.Kotver . The second campaign sends a message claiming that a banking transaction was cancelled and includes a .rar attachment. The file contains JavaScript that ultimately deploys Locky on the compromised computer. 

Symantec is investigating these campaigns. 

2017-01-25T09:18:32+00:00 February 10th, 2017|