Necurs botnet launches massive 47 million emails per day campaign
Necurs botnet launches massive 47 million emails per day campaign

The Necurs botnet continued to launch massive global ransomware attacks through the holidays with researchers stopping as many as 47 million emails per day.

Threat actors behind the attacks continue to distribute Locky and GlobeImposter ransomware preferring to use either a malicious .vbs  (visual basic script) or .js (javascript) file located inside a .7z (seven-zip archive) to pull down the ransomware payload, according to a 26 December blog post.

The seven-zip archive keeps file sizes small to evade detection from basic email filters that don't scan inside archives. Between 19 December and 22 December AppRiver researchers spotted a large influx in attacks that at its peak, blocked a maximum sustained traffic of 5,704,052 malicious emails sent by the for-rent botnet.

On 19 December, all of the 45,976,814 malicious emails stopped were .7z archives that contained malicious .vbs and on the next day, of the 47,309,380 messages stopped, 32,730,828 were the .vbs file, and the remaining 14,578,552 were javascript files.

“On 21 December and 22 December, the traffic switched back over to the .js files and began to taper off,” researchers said. “We saw 36,290,981 and 29,602,971 messages blocked respectively, for those two days, before the botnet went quiet from 23-25 December. Today (26 December), Necurs re-awoke from its slumber for a couple hours then went quiet again.”

AppRiver researcher David Pickett hypothesises the threat actors may have been testing or monitoring the rate of infections before realising many of their potential targets were on vacation.

Last month, Necurs pushed out a total of 12 million malicious emails in one morning helping move it from tenth to eight place for the month's Most Wanted Malware list.