Skip to content ↓ | Skip to navigation ↓

A disruption in the Necurs botnet occurred at the same time as a drop in Locky and Dridex activity, leading researchers to believe the two events are related.

Researchers at Proofpoint explain they first detected a significant decline in malicious spam campaigns leveraging Locky and Dridex as payloads on June 1st.

First detected back in February 2016, Locky ransomware made a name for itself after infecting the computer system at Hollywood Presbyterian Medical Center in southern California.

The hospital ultimately decided to pay the ransom fee of $17,000 to those responsible for the attack.

The Dridex banking trojan, by contrast, has been circulating in the wild for years. It’s netted tens of millions of dollars from victims based in the United Kingdom and the United States alone, which led the two countries to create a law enforcement partnership designed to take down the botnet created by the malware.

In October 2015, that partnership succeeded in arresting one of the administrators of the Dridex botnet.

At around the same time as Locky and Dridex campaigns all but stopped, Proofpoint observed an outage in the Necurs botnet, a peer-to-peer (P2P) hybrid botnet which allows for some communication between “nodes” that act as distributed command and control (C&C) servers and “worker” bots that send commands to regular bots:

“This confirmed our suspicion that the threat actors behind Locky ransomware and Dridex banking Trojans have been using the Necurs botnet to distribute their massive email campaigns.”

necurs botnet 1
Number of IPs sending malicious document attachments (presumably from the Necurs botnet) over time. (Source: Proofpoint)
necurs botnet 2
Malicious document attachment carrying email message volume over time. (Source: Proofpoint)

Security researcher MalwareTech notes the Necurs botnet currently consists of around 6.1 million bots–by far the largest botnet ever recorded.

Though its activity has dropped off significantly, that doesn’t mean Necurs is down and out.

Proofpoint’s researchers note they’ve observed some small-scale Dridex campaigns across their customer base since the botnet essentially went offline.

They’ve also witnessed activity that would suggest the Necurs bots are looking for a new C&C server:

“The Necurs outage last week is our most obvious evidence to date of its use in the massive Locky and Dridex campaigns that we have been tracking this year. While this is not the first apparent Necurs outage we have seen, available data suggest that it involved a significant and ongoing failure of the C&C infrastructure behind the botnet…. It remains to be seen if the Necurs botmasters will succeed in retaking control of their botnet.”

Proofpoint will continue to monitor the situation and provide updates.