47 Million Emails/Day: Necurs Botnet Launches Massive Ransomware Campaign

A cybersecurity firm has revealed it has blocked as many as 47 million emails per day spewed by the Necurs Botnet during the holiday season.

The operators of the comprehensive campaign continue to spread the Lack and GlobeImposter ransomware by using a malicious visual basic script (.vbs) or a javascript (.js) file located inside a compressed seven-zip (7z) archive to trigger the ransomware payload, researchers from AppRiver revealed.

Necrus is a for-rent botnet that has, over the years, been used for DDoS attacks, pump-n—dump stock spam, malware created by professional cybercriminal gangs and more. The botnet is said to control up to 65 million compromised machines in total with 1-2 million active at any given time.

Researchers added:

It utilizes a kernel-mode driver to create a backdoor allowing remote access and control of the infected computer.  This allows the operators to download malware, hide components from detection, and stop security applications from functioning properly. 

On December 19, the firm’s filters stopped a total of 45,976,814 malicious emails sent by the botnet. At peak traffic, filters caught a mammoth 4.6 million emails per hour, all of whom were 7zip files containing malicious visual basic scripts.

Come December 20, described as “the heaviest day we’ve seen this year (so far), researchers tallied a total of 47,309,380 messages stopped by the filters. “Of those, 32,730,828  were the .vbs file, and 14,578,552 were the javascript file inside the .7z archive. Maximum sustained traffic was 5,704,052 million emails blocked during the 6 a.m. hour,” researchers added.

The researchers hypothesized that operators behind the ransomware campaign could have been testing and/or monitoring the rate of infections before realizing that most of their targets were away on vacation.

Image credit: Pixabay.