The Necurs botnet continued to launch massive global ransomware attacks through the Holiday Season with researchers stopping as many as 47 million emails per day.
The seven-zip archive keeps file sizes small to evade detection from basic email filters that don't scan inside archives. Between Dec. 19 and Dec. 22 AppRiver researchers spotted a large influx in attacks that at its peak, blocked a maximum sustained traffic of 5,704,052 malicious emails sent by the for-rent botnet.
“On Dec. 21 and 22, the traffic switched back over to the .js files and began to taper off,” researchers said. “We saw 36,290,981 and 29,602,971 messages blocked respectively, for those two days, before the botnet went quiet from Dec. 23-25. Today (Dec. 26), Necurs re-awoke from its slumber for a couple hours then went quiet again.”
AppRiver researcher David Pickett hypothesizes the threat actors may have been testing or monitoring the rate of infections before realizing many of their potential targets were on vacation.
Last month, Necurs pushed out a total of 12 million malicious emails in one morning helping move it from tenth to eight place for the month's Most Wanted Malware list.