14 DAY TRIAL // Three weeks of quiet is all that we had from the world's biggest botnet, which appears to have come back to life and is getting ready for new spam and malware distribution campaigns.
According to reports from MalwareTech and Proofpoint, the Necurs botnet, one of the world's largest botnets with 6.1 million bots, stopped all activity on May 31, when its main C&C servers went offline.
The Necurs shutdown was felt immediately, and security researchers noticed a drop in email spam delivering the Locky ransomware. Mysteriously, spam emails carrying the Dridex banking trojan also slowed down, which was curious because Dridex has its separate botnet from where it operates.
Necurs made a comeback this past Sunday
Now the same MalwareTech who announced the botnet's downfall has detected new Necurs activity. Security firm AppRiver has also confirmed his findings.
Necurs came alive this Sunday, when the crooks behind the botnet set up new C&C servers, and in a short time, a large number of the bots started connecting to the new backend.
"The fact that bots will not stop polling the DGA until a C&C server replies with a digitally signed response would suggest that the botmasters are still fully in control of the botnet, or someone else has gotten a hold of the private key," MalwareTech explains.
Locky spam came back to life but in smaller numbers
As soon as the botnet returned, the researchers also saw a resurgence of Locky spam, but with the same samples detected by antivirus products on May 31.
MalwareTech says the Necurs team always started new campaigns with a fresh batch of undetected Locky ransomware samples, and this seemed like the Necurs team just hit the "pause/resume" button on an older campaign.
In the past, cyber-crime groups have been known to take time off, either for maintenance operations or to upgrade their servers, but usually before a large infrastructure update.
With no new Locky or Dridex malware samples observed from this botnet, we'll have to wait and see what the Necurs team has in store for us, if this was one of those big upgrade moments.
UPDATE [June 23, 2016]: Proofpoint has published a report on Necurs' new activity as well, saying the botnet is now distributing Locky ransomware again.
UPDATE [June 26, 2016]: Security firm Check Point has also published a report on Locky's resurgence.
