The Necurs botnet continued to launch massive global ransomware attacks through the Holiday Season with researchers stopping as many as 47 million emails per day.
Threat actors behind the attacks continue to distribute Locky and GlobeImposter ransomware preferring to use either a malicious .vbs (visual basic script) or .js (javascript) file located inside a .7z (seven-zip archive) to pull down the ransomware payload, according to a Dec. 26 blog post.
The seven-zip archive keeps file sizes small to evade detection from basic email filters that don't scan inside archives. Between Dec. 19 and Dec. 22 AppRiver researchers spotted a large influx in attacks that at its peak, blocked a maximum sustained traffic of 5,704,052 malicious emails sent by the for-rent botnet.
On Dec. 19, all of the 45,976,814 malicious emails stopped were .7z archives that contained malicious .vbs and on the next day, of the 47,309,380 messages stopped, 32,730,828 were the .vbs file, and the remaining 14,578,552 were javascript files.
“On Dec. 21 and 22, the traffic switched back over to the .js files and began to taper off,” researchers said. “We saw 36,290,981 and 29,602,971 messages blocked respectively, for those two days, before the botnet went quiet from Dec. 23-25. Today (Dec. 26), Necurs re-awoke from its slumber for a couple hours then went quiet again.”
AppRiver researcher David Pickett hypothesizes the threat actors may have been testing or monitoring the rate of infections before realizing many of their potential targets were on vacation.
Last month, Necurs pushed out a total of 12 million malicious emails in one morning helping move it from tenth to eight place for the month's Most Wanted Malware list.
