Locky ransomware makes a comeback, courtesy of Necurs botnet

The Necurs botnet has, once again, begun pushing Locky ransomware on unsuspecting victims.

Locky Necurs

The botnet, which flip-flops from sending penny stock pump-and-dump emails to booby-trapped files that lead to malware (usually Locky or Dridex), has been spotted slinging thousand upon thousand of emails in the last three or four days.

“Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky,” Cisco Talos researchers noted on Friday.

In the first part of the spam campaign, the emails contain no text except in the Subject line, which simply says “Receipt” or “Payment”, followed by random numbers. Those numbers are seen again in the name of the attached PDF file (as seen in the screenshot above).

Later, the emails were made to look like they contained a scanned image in PDF format for the recipient to peruse.

In both cases, the attached PDF contains embedded Word documents with macros, and in order for them to be opened and run the aforementioned macros, users are required to enable them. This is achieved through subterfuge: the victims are shown a note saying that the document is protected, and that they have to “Enable editing” in order to view it.

Before that, the victims are also prompted to allow the opening of the file – a step that’s required for the malware to bypass the protection offered by the program’s sandbox.

“The word document itself contains an XOR’d Macro that downloaded the Locky sample from what is likely a compromised website,” the researchers explained, noting that the DNS requests associated with the domain serving the malware have been spiking, but that it’s difficult to determine if these requests are from victims or the many security practitioners that are investigating this widespread campaign.

Users who go through through all the motions required to serve the malware will end up with their files encrypted and the .osiris extension added to them. The criminals behind the ransomware are asking for 0.5 Bitcoin (around $620) in order to decrypt the files.

Unfortunately for them, there is currently no way to decrypt the files without paying the ransom, so they’ll need to choose between losing the files (if they have no backup) or paying up (although there is no guarantee that the crooks will keep their word).

Don't miss