Security researchers have confirmed that one of the world's largest botnets has reactivated and resumed distributing Locky and Dridex malware payloads.

The Necurs botnet was shut down in early June, but appears to have returned.

"On the evidence of reused IP addresses, this campaign appears to be originating from the Necurs botnet," security company Proofpoint wrote in a blog post.

"As of the writing of this blog on 22 June, a second, much larger Locky campaign was underway, signaling a clear return of both Locky and the Necurs botnet."

The Necurs botnet is believed to be one of the biggest currently in operation, but on 1 June, Proofpoint noticed that activity around it sharply dropped off.

At the same time, campaigns of ransomware emails - which Proofpoint described as "among the largest we have ever observed" - also dropped substantially in volume.

This confirmed that the Necurs botnet was being used by cybercriminals as a ransomware delivery channel. As well as the Locky strain of ransomware, it was also used to distribute the Dridex banking trojan, which steals users' financial credentials.

After almost a month of inactivity, emails loaded with Locky and Dridex have begun to circulate again, which Proofpoint said suggests that "the Necurs spam cannon is functional again".