Botnet Teams with Ransomware

Monday, April 24, 2017 @ 03:04 PM gHale

A well-established botnet is sending out ransomware in search of more victims.

Necurs botnet has, once again, begun pushing Locky ransomware on victims.

Ransomware as a Profit Center: Report
Fending off Analysis, Ransomware will Cut Decryptor
New Ransomware Business Model
More Ransomware Decryption Tools Available

The Necurs botnet was sending out the Locky ransomware over a period of a few days last week said Cisco Talos researchers.

“Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky,” said Cisco Talos researchers.

In the first part of the spam campaign, the emails contain no text except in the Subject line, which simply says “Receipt” or “Payment”, followed by random numbers. Those numbers are seen again in the name of the attached PDF file.

Later, the emails ended up looking like they contained a scanned image in PDF format for the victim to view.

The attached PDF contains embedded Word documents with macros, and in order for them to be opened and run the macros, a user needs to enable them. This ends up happening when the victims see a note saying the document is protected, and they have to “Enable editing” in order to view it.

Before that, the victims also receive a prompt to allow the opening of the file – a step that’s required for the malware to bypass the protection offered by the program’s sandbox.

“The word document itself contains an XOR’d Macro that downloaded the Locky sample from what is likely a compromised website,” researchers said.

The DNS requests associated with the domain serving the malware have been spiking, but it’s difficult to determine if these requests are from victims or the security practitioners are investigating this campaign.

Users who go through all the motions required to serve the malware will end up with their files encrypted and the .osiris extension added to them. The criminals behind the ransomware are asking for 0.5 Bitcoin (around $620) in order to decrypt the files.

There is currently no way to decrypt the files without paying the ransom.

Leave a Reply

You must be logged in to post a comment.