Security Experts:

Connect with us

Hi, what are you looking for?



Necurs Botnet Distributing Locky Ransomware via Fake Invoices

The Necurs spam botnet has switched back to distributing the Locky ransomware in a campaign featuring messages disguised as fake invoices, Cisco Talos security researchers reveal.

The Necurs spam botnet has switched back to distributing the Locky ransomware in a campaign featuring messages disguised as fake invoices, Cisco Talos security researchers reveal.

Last year, Necurs was the main driver behind Locky’s ascension to the top of the ransomware charts, and their activity was tightly connected. Following several months of vacation in early 2017, Necurs resumed activity in April, but distributed Locky only for a few weeks.

Starting around May 12, the same day WannaCy made its first appearance, Necurs switched to distributing a new ransomware family called Jaff. The malware was found to be tightly connected to Locky, as the same actor operated both ransomware families.

Earlier this month, however, Kaspersky Lab security researchers discovered vulnerabilities in Jaff and managed to create a decryptor for it, allowing victims to recover their data for free. Although three Jaff variants were observed to date, the decryption tool would work for all three of them.

The decryptor’s release apparently took Jaff out of the race, and Necurs returned to pushing Locky once again. The spam emails pushing the ransomware feature a double-zipped archive with an .exe file inside. Unlike previous Necurs-driven campaigns, which used themes such as order confirmations, payment receipts, and business documents, the new messages are fake invoices.

The newly observed campaign, Talos reports, features a notable volume of spam: during the first hour, it accounted for around 7% of the email volume registered by one of the company’s systems. The volume has decreased, but the campaign continues to be active, the security researchers say.

The campaign uses the same affiliate ID as before, but the ransomware itself appears to have suffered a series of changes, one of which prevents it from encrypting data on systems running under operating systems more recent than Windows XP.

The command and control (C&C) URL structure is another notable aspect of this campaign, the security researchers say: “Adversaries behind this latest Locky campaign have reused the /checkupdate path as part of the URL structure — the same URL structure found in previous Locky campaigns. This is perhaps another indication that adversaries were hasty in their developing and distributing this campaign.”

Talos suggests that Locky’s operators are likely aware of the existing issues with the ransomware, and that an updated variant of the malware is likely to emerge soon, addressing the bug. At the moment, however, the Locky sample distributed via Necurs can encrypt only Windows XP systems.

“It’s always risky clicking on links or opening attachments in strange email messages. Users that fail to heed this advice can easily become ransomware victims, and if the subsequent ransom is paid, the monies will no doubt fund another round of attacks. As always, organizations are encouraged to make regular backups of their data, practice restoring said data, and store backups offline far out of the reach of potential criminals,” Talos said.

Related: Jaff Ransomware Operation Tied to Cybercrime Store

Related: Locky Ransomware Returns in New Necurs-driven Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.