Locky Ransomware Returns yet Again Thanks to the Necurs Botnet

Even though a lot of people had hoped Locky ransomware would finally disappear into obscurity, it appears we are not so lucky after all. In fact, researchers indicate the malware is making a rather surprising return, thanks to the Necurs botnet. A new dedicated spam campaign is underway to bring this ransomware to as many people as possible.

The Return of Locky Ransomware (Again)

It appears certain types of malware are incredibly difficult to weed out altogether. Whereas some types of ransomware are popular for a few weeks or months and then disappear, there are always exceptions. Locky ransomware, one of the most destructive types of malware, is back once again. This time, its developers are trying to spread this malicious software through the Necurs botnet, which has proven to be quite effective in its own right.

It has been quite some time since researchers came across Locky ransomware for the last time. In fact, it appears 2017 would be spent without having to worry about this threat ever again. Sadly, the harsh reality sets in, as a new spam email campaign has been discovered which is actively distributing the Locky payload to victims all over the world. It is also apparent this campaign uses similar techniques to some of the more successful Dridex banking trojan campaigns.

One silver lining is how the Locky payload itself has not undergone any notable changes. Successful ransomware developers often release updated versions of their creations, which include new features to avoid detection or force users to pay a bitcoin ransom. So far, that does not appear to be the case with Locky, which is some relief. However, with the methodology of distribution changing, the threat should not be ignored by any means.

As one would somewhat expect, criminals now distribute this malware through PDF files, which require the victim to download and open the email attachment. There are two different email variants being sent out right now, one of which contains text, whereas the other one is blank. Every email is linked to a “Payment” or “Receipt” subject line, which validates the email attachment in question. The PDF file has an embedded Word document which contains the payload.

Although it remains unclear whether or not this campaign heralds a new wave of Locky distribution, security researchers are concerned about this development. That is not entirely surprising since the notorious malware impacts various hospitals and other major organizations over the past few years. Malware-laden Word documents are becoming the favorite tool among cybercriminals when it comes to distributing malicious software, that much is evident.

The Necurs botnet has been used successfully in distributing the Dridex banking Trojan over the past few months. Now that criminals are using the same strategy for ransomware, it is impossible to tell how things will evolve moving forward. Now is a good time to be even more cautious than ever when it comes to opening emails from unknown senders. The Necurs botnet has been widely appreciated by criminals as of late, as it has been used for pump-and-dump stock plays, work-from-home scams, and even Russian dating advertisements.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.