Scarab ransomware joins with Necurs botnet for faster spread

Scarab ransomware joins with Necurs botnet for faster spread

Researchers saw a surge of activity as the Scarab ransomware spread quickly to millions of victims via an email campaign run by botnet, but updates si

Exploit Kit Activity Quiets, But Is Far From Silent
Transcription Service Leaked Medical Records
Breaking Signal: A Six-Month Journey

Researchers saw a surge of activity as the Scarab ransomware spread quickly to millions of victims via an email campaign run by botnet, but updates since that initial wave have been lacking.

Ben Gibney and Roland Dela Paz, security researcher and senior security researcher for Forcepoint Security Labs LLC, based in Dublin, reported a surge in volume of Scarab ransomware emails being blocked by security systems on Nov. 23rd. According to the researchers, more than 12.5 million emails were captured between 07:00 and 12:00 UTC, and the current campaign of Scarab ransomware used emails that looked like scanned documents, similar to “Locky ransomware campaigns distributed via Necurs.”

The Scarab ransomware was first seen in the wild in June, but the recent resurgence has been credited to the malware being spread via the Necurs botnet. Necurs was first discovered by cybersecurity vendors in 2012, and the botnet has grown steadily since that time. The Necurs botnet was previously used to spread the Dridex banking malware and Locky ransomware, though the botnet’s activity decreased sharply following a series of raids and arrests of suspect hackers in Russia last year.

“By employing the services of larger botnets such as Necurs, smaller ransomware players such as the actors behind Scarab are able to run a massive campaign with a global reach,” Gibney and Dela Paz wrote in a blog post. “It remains a question whether this is a temporary campaign, as was the case with Jaff, or if we will see Scarab increase in prominence through Necurs-driven campaigns.”

It is still unclear if the campaign was temporary or not as Forcepoint has not released any updates to its initial figures since the post on the 23rd and the company has not responded to requests for more data as of the time of this article.

Andy Norton, director of threat intelligence at Lastline, said the Necurs botnet can be a dangerous delivery system, but as yet it has only been seen propagating ransomware.

“Necurs is so popular to push malware and ransomware because it contains lots of concealment technology like the use of packers to evade static analysis, and lots of evasion technology to avoid being discovered by behavioral malware analysis platforms,” Norton told SearchSecurity. “It is able to survive inside an enterprise security environment, making it successful as a platform for delivering other subsequent malicious payloads.”

Go to Source

COMMENTS