Locky was prolific in its heyday (unknown author via Wikimedia Commons)
Locky was prolific in its heyday (unknown author via Wikimedia Commons)

Locky ransomware appears to be fading into the background as the Necurs botnet abandons it in favor of more sophisticated financial fraud. Researchers have noticed a drop in the volume of Locky campaigns, even as they have observed the emergence of a new spam campaign.

Necurs is a massive botnet which was once the prime driver of the Dridex banking Trojan and Locky ransomware. Necurs appeared to have dropped Locky at the end of 2016, which corresponds with Cisco's Talos team observing a noticeable drop in the botnet's use of the ransomware since late December.

Locky campaigns were still being deployed, but at volumes far diminished from the hundreds of thousands of messages that a Locky campaign was sending in its heyday.

Ondrej Kubovič, security specialist at ESET, said that Locky had been in decline from an even earlier date than what Talos was reporting, claiming ESET had seen it begin to drop off in August 2016. “However, we cannot say what is the reason behind this decline. It would be merely our speculation as only ransomware operators know their own motivations.”


Since its inauspicious birth in February 2016, Locky has been a very popular brand of ransomware and was regularly updated with new techniques.

Like most malware, it has been traditionally delivered via an email and activated when its unlucky victims opt to enable the macros on an attached document. Once that trap is sprung, Locky sets about encrypting the files on the targeted computer.

Locky has been seen in a variety of high profile attacks including the 2016 breach on the Hollywood Presbyterian Medical Centre, in which the hospital had to pay US $17,000 (£13,600) to retrieve its data.

Talos researchers noted the joined fates of Locky and the Necurs botnet. In June 2016, when the botnet went offline, Locky campaigns dropped in kind.

Necurs has changed course, dropping Locky as its favorite weapon and resorting to more sophisticated scams. Security researchers have noticed the botnet sending out barrages of spam giving out dubious financial information.

Recently noticed spam sent through the botnet touts a company called inCapta as set to rise in value. The emails encourage the recipients to buy inCapta stock which will skyrocket tenfold in the next few days, due to a new piece of groundbreaking drone technology.  inCapta, according to the message, is due to acquired by a company called DJI (“the most prominent drone-maker in the world”).

The email proclaims that “this has the potential to literally change the world of news broadcasting as we know it”.

It promises “a premium of over 1,000% over Friday's closing price. Tell all your friends about INCT (inCapta) and make sure you buy it as soon as possible today at any price under 20 cents a share to guarantee yourself massive profits.”

A variety of security researchers dubbed the spam campaign, a pump and dump scam.

A ‘pump and dump' fraud is a scam in which stock is artificially inflated before before being dumped en masse, ensuring that those operating the scam reap the rewards of the inflation while leaving their victims in the lurch.

Necurs seems to be pursuing this new business aggressively. Conrad Longmore, a security researcher who has published examples of the email on his blog, wrote "It's been a long time since I've seen a pump-and-dump spam run illegally pushing a stock as hard as this".

InCapta did not respond to several requests for comment.