Locky - Necurs Spewing Millions of Malicious Emails

  • skeeved's picture
  • Posted on: 24 April 2017
  • By: skeeved

Friday, April 21st researchers began seeing Necurs botnet activity which has been confirmed as a new variant of the Locky ransomware. The new variant is currently being delivered as an embedded Word document contained in a PDF attachment.

The new version of Locky contains several new features designed to thwart analysis while running in a sandbox environment. The malware measures CPU cycles used to perform Windows system function calls (more cycles used indicates a virtual environment) and also relocates its executable code within memory to make it more difficult to analyze the codes execution.

The current text of the messages being used to distribute the malware look like:

Dear (random name):
Please find attached our invoice for services rendered and additional disbursements in the above-mentioned matter. Hoping the above to your satisfaction, we remain.
Sincerely, (random name and title).