In the beginning of June, the Necurs botnet went offline, which also caused its Dridex and Locky malware campaigns to drop off as well. With TeslaCrypt halting operations and Locky no longer being heavily distributed, this void was quickly filled by the CryptXXX and Crysis ransomware infections.

On Monday, ProofPoint noticed a multi-million Locky email campaign, which appears to be originating from the Necurs botnet. At this time, researchers still do not know what caused Necurs to go offline, but CryptXXX will definitely have a run for its money now.

According to ProofPoint, this new Locky campaign uses emails with the subject Re: and attachments titled services_[name]_[6 random digits].zip, [name]_addition_[6 random digits].zip, or [name]_invoice_[6 random digits].zip. The zip files contained JavaScript files named addition-[random digits].js. An example of one of these emails, courtesy of ProofPoint, can be seen below.

Email Distributing Locky

Source: ProofPoint

When a recipient double-clicks on the JavaScript file, it will download the Locky executable, save it in the %Temp% folder, and execute it. This new variant also contains new anti-virtual machine code to make it more difficult for security researchers to analyze it from a virtual machine.

Otherwise, the ransomware itself appears to be unchanged. If any new features are discovered, we will be sure to post them here.