Stats & Trends
Ryan Harnedy
Jun 2016

The Largest Botnet in the World Suddenly Went Offline and Took Locky & Dridex Down with It


Your weekly dive into malware trends. This week's spotlight: The shutdown of the Necurs botnet and what it means for ransomware distribution. 


The Necurs Botnet is Down: Is This the End of Locky?

As you may have heard, Necurs, one of the most popular botnets for distributing Dridex and Locky ransomware, appears to have vanished. As security researchers have reported, traffic from Necurs has essentially dried up, and there's been a a massive drop in new Dridex and Locky spam campaigns since June 1

It was only four months ago that Locky first burst onto the scene, quickly gaining notoriety and infecting nearly 60,000 machines a day. But now with its distribution yanked out from under it, does this mean we've seen the last of Locky? 

To get more details, we asked Barkly Principal Malware Researcher Rick Correa to break down where botnets fit in when it comes to launching ransomware attacks, and whether the shut-down of Necurs really means the end of Locky and Dridex.  


Why is the Necurs botnet going offline such a big deal?

One of the reasons is that Necurs has been associated with the distribution of Dridex and Locky Malware. Specifically, both campaigns used Necurs for malware distribution via mass phishing campaigns. Initially, they used phishing messages with attachments containing a malicious office documents, but more recently, they shifted to zipped javascript downloaders.

At the same time, Locky seems to be tanking, too. Why does ransomware like Locky need a botnet like Necurs?

Most ransomware families rely on three major pieces:  

  1. Distribution
  2. Command-and-Control (C2)
  3. Payment infrastructure  

The same infrastructure can serve multiple roles, and not all families need all three. For ransomware, distribution is predominantly through hosting exploit kits or phishing operations. Command-and-control serves up encryption keys or region-customized ransomware messages, and the payment infrastructure handles decryption keys and bitcoin transactions. Taking down one or more pieces can have a devastating effect on a ransomware family like Locky.

Reports indicate the Angler exploit kit also hasn’t been seen since roughly the same time Necurs dropped off. Do you think there’s any correlation?

Very good question. The community is still trying to figure that out. There's some chatter that the drop in activity was a result of some recent arrests in Russia that were a result of hackers attacking local Russian banks. Whether that’s directly related or indirectly related (e.g. the malware authors are spooked that the heat is on), it’s likely temporary.

Could Locky be distributed through another botnet if Necurs is really gone?

It’s feasible, although one thing that isn’t publicly known is if authors behind Necurs are the same group behind Locky/Dridex. Like any business outsourcing decision, the malware authors need to evaluate the costs of shifting to another service.

How does the loss of a major exploit kit and a major botnet affect hackers’ ability to launch malware campaigns?

We see parallels between the malware world and the rest of the tech world. Much like how Amazon AWS have allowed tech companies to abstract out the infrastructure from their solutions, exploit kits and botnets-for-rent have enabled malware authors to abstract out delivery from the core malware, making it more resilient.

The loss of Angler and Necurs has increased the cost of distribution in the underground market. Malware business models will have to account for that or risk shutting down due to lack of resources. Revenue is also dictated by how many victims are willing and able to pay the ransom. Campaigns that aren’t able to convert victims to paid will likely disappear before law enforcement can reach them.

Does this mean we’ll be seeing fewer attacks? Or will we just see competing botnets and exploit kits step in and fill the void?

I do not think Dridex and Locky are dead. Dridex in particular has been a very resilient campaign that has survived other law enforcement challenges. Both campaigns are also known to fluctuate in big waves. In fact, we saw some new activity this week, and other researchers agree it may be too soon to count them out

I think, in the short term, we'll see other malware filling the void. But I don't think this is the last chapter of Dridex and Locky. 

Photo by Horst Gutmann

Ryan Harnedy

Ryan Harnedy

Ryan writes about how to make cybersecurity make sense to end users and keep employees safe from ransomware, malware, and phishing attacks. He enjoys decoding buzzwords and sharing security tips that users might actually follow.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.