Necurs Botnet With Updated Locky Ransomware

Necurs Botnet Locky Ransomware

Necurs Botnet Locky Ransomware

On June 21, Proofpoint detected a large Locky campaign with zip attachments containing JavaScript code. If opened, these attachments would download and install Locky with an Affiliate ID of “1” and DGA seed of 7743. The messages in this campaign had the subjects “Re:” with the attachment “services_[name]_[6 random digits].zip”, “[name]_addition_[6 random digits].zip”  or “[name]_invoice_[6 random digits].zip”. The zip files contained JavaScript files named “addition-[random digits].js.”


Analysis of the sending IPs associated with this campaign suggest that the Necurs spam cannon is functional again and, unfortunately, we expect both Dridex and Locky email campaigns to begin again in earnest. We are already tracking a much larger Locky campaign on the second day of operation and will continue to monitor the situation.

ETPRO TROJAN Ransomware Locky,  Necurs Botnet Locky Ransomware

Read full article here