necurs
necurs

A new strain of ransomware has been discovered that is being distributed by the Necurs botnet, according to security researchers.

In a blog post by Forcepoint, researchers Ben Gibney and Roland Dela Paz said that a massive email campaign started at approximately 07:30 UTC on 23 November.

They said that the majority of the traffic is being sent to the .com top level domain (TLD). However, this was followed by region-specific TLDs for the United Kingdom, Australia, France and Germany.

According to researchers the email uses the subject “Scanned from {printer company name}” – a theme that is known to have been utilised for previous Locky ransomware campaigns distributed via Necurs. The email contains a 7zip attachment containing a VBScript downloader.

They said that the payload itself - Scarab - is a relatively new ransomware family that was discovered in June by Michael Gillespie.

In the particular variant observed being distributed today, the ransomware drops a file called %Application Data%\sevnz.exe and then creates a registry entry as an autostart mechanism.

Once installed it proceeds to encrypt files, adding the extension “.[suupport@protonmail.com].scarab” to affected files. A ransom note with the filename “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” is dropped within each affected directory.

“The misspelling of "support" is present in both the modified filenames and the ransom note, and is presumably a result of the availability of email addresses on the Protonmail service,” said researchers.

Researchers added that the note does not specify the amount being demanded, instead simply stating that "the price depends on how fast you write to us".

In a blog post by F-Secure, security researcher Päivi Tynninen said that Necurs tends to re-use the spam themes in its campaigns, sometimes within a rather short cycle.

“In this particular case, the subject lines used in this spam campaign were last seen in a Locky ransomware campaign exactly two weeks ago, the only difference being the extension of the attached downloader,” he said. “This has already given Scarab-ransomware a massive popularity bump.”

Forcepoint researchers warned that by employing the services of larger botnets such as Necurs, smaller ransomware players such as the actors behind Scarab are able to run a massive campaign with a global reach.

“It remains a question whether this is a temporary campaign, as was the case with Jaff, or if we will see Scarab increase in prominence through Necurs-driven campaigns,” said Forcepoint researchers.

Andy Norton, director of threat intelligence at Lastline, told SC Media UK that the Necurs malware contains lots of concealment technology, like the use of packers to evade static analysis, and lots of evasion technology to avoid being discovered by behavioural malware analysis platforms.

“It is able to survive inside an enterprise security environment, and this makes it successful as a platform for delivering other subsequent malicious payloads. Ransomware is only one of the threat families it has been known to deliver,” he said.

Norton added that in this case for the scarab strain of ransomware, there is no decryption tool available at time of writing. However, we should not assume that reports of a large volume email campaign indicate that enterprise security environments have been compromised. “One of the unintended benefits of ransomware is that it has forced organisations to test backup procedures. So, in the unfortunate circumstance that someone did become infected with Scarab, they would only lose the data between the infection and the last backup,” he added.

Fraser Kyne, EMEA CTO at Bromium, told SC Media UK that there is a a lot of talk about educating users and detect-to-protect models of security, “but we also see a lot of breaches”.

“Clearly educating users doesn't work, as you can't always rely on busy workers to be fully alert to the danger signs. Similarly, the ‘whack-a-mole' model of detection is completely broken – once you have detected something is wrong it is already too late,” he said.