Locky Ransomware Updated With Necurs Botnet

Locky Ransomware has evolved rapidly since its initial inspection. First of all, it has been spotted in the February 2016 and its five variants were reported lately in December 2016 including .zepto, .odin, .shit, .thor and .aseir. Each variant of this ransomware is primarily distributed via spam email. It does not trying out any new distribution channels to spread but it maximize the damage to partnering with threat that enlists victims into a botnet.

Most of the times, the developers of Locky Ransomware are sending millions of spam emails or attachments to System user all over the world in order to attack them. Each spam campaigns comes with a subject line that always tries to trick innocent user into opening the .vbs and .zip attached file that contains JavaScript code. When they opened or access such files, Locky Ransomware easily lurks inside the targeted PC. It is enough to ruin your PC but its campaigns does not end here. To increase the number of victims, it uses user’s IP addresses. The reused of IP addresses are the evidence that it appears to be originated from the Necurs botnet.

In the late May 2016, Locky Ransomware added a new loader that implemented three new anti-analysis tricks. First one targets the Virtual machines with poor maintenance of processor. It compares number of CPU cycles and take more cycles in VM environment to execute Windows functions. Second tricks involves Locky Ransomware’s execution from JavaScript which is converted to an integer and used as a part of its runtime obfuscation. Third tricks hide secrets to of loader from the inspection and involves within an interesting method to execute cross-module.

According to the depth analysis by malware researchers, it has been suspected that Necurs botnet have dropped into the Locky Ransomware in exchange for spam campaigns. Necurs is actually a massive botnet that primarily delivered in Dridex banking Trojan and Locky Ransomware. In Locky Ransomware, Necurs have appeared at the end of 2016 which corresponds with the team of Cisco’s Talos. Necurs botnet has changed its course to more sophisticated scam to attack the Locky Ransomware. It sending out the barrages of spam campaigns to find out victim’s financial details.

Once Locky Ransomware intrudes into your PC successfully, it will encrypt your files and makes them inaccessible. When you tried to access them, they will always asks you to pay huge amount of ransom money. But you should not make a deal with cyber hacker because there is no any guarantee provided that you will get the decryption tool after paying the ransom amount. The worst thing about this ransomware is that it gathers victims all crucial or financial data and then exposed them to the public. If you really want to keep your privacy and financial data safe then you should delete Locky Ransomware as soon as possible from your PC.

Leave a Comment

Your email address will not be published. Required fields are marked *