The Necurs botnet continued to launch massive global ransomware attacks through the holidays with researchers stopping as many as 47 million emails per day.
The seven-zip archive keeps file sizes small to evade detection from basic email filters that don't scan inside archives. Between 19 December and 22 December AppRiver researchers spotted a large influx in attacks that at its peak, blocked a maximum sustained traffic of 5,704,052 malicious emails sent by the for-rent botnet.
“On 21 December and 22 December, the traffic switched back over to the .js files and began to taper off,” researchers said. “We saw 36,290,981 and 29,602,971 messages blocked respectively, for those two days, before the botnet went quiet from 23-25 December. Today (26 December), Necurs re-awoke from its slumber for a couple hours then went quiet again.”
AppRiver researcher David Pickett hypothesises the threat actors may have been testing or monitoring the rate of infections before realising many of their potential targets were on vacation.
Last month, Necurs pushed out a total of 12 million malicious emails in one morning helping move it from tenth to eight place for the month's Most Wanted Malware list.