World’s Biggest Botnet “Necurs” Sends 12.5 Million Scarab Ransomware Emails

Share on twitter
Share on whatsapp
Share on facebook
scarab ransomware
If you keep a close eye on the cybersecurity world, you must be knowing about Necurs botnet, which is one of the biggest botnets this world has seen. It’s known for playing a major role in spreading Locky ransomware and Dridex banking trojan. Over the course of past one year, it has expanded this list and included other malware strains as well.

In the latest development, Necurs botnet is being used to spread a spam campaign with Scarab ransomware. F-Secure security firm spotted the attack campaign which had malicious VBScript downloaders compressed with 7zip. The script also contains several ‘Game of Thrones’ references, including JohnSnow and Samwell.

Within six hours of the first attack, 12.5 million emails were distributed, which is about two million messages per hour.

It’s worth noting that email subject lines are “Scanned from (printer company name).” This theme is widely known to have been utilized for Locky ransomware. Here’s how to spot one:

scarabemail sample
Image: Sample email

Coming back to Scarab, it’s a relatively new ransomware, based on open source ransomware proof-of-concept named HiddenTear. It was discovered in June by Michael Gillespie, according to Forcepoint.

Once the ransomware infects a machine, it encrypts files and adds “[[email protected]].scarab” extension to affected files. A ransom note with filename “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” is also dropped in the affected directory.

Ransom Note

While the note doesn’t specify how much is the ransom, it states “the price depends on how fast you write to us”. The use of an email-based payment system has been seen this year often, including the NotPetya attack.

Various studies and surveys have shown that ransomware attacks are the fastest growing malware type. So, you must follow the best internet practices and avoid clicking on suspicious links in email or social networking websites.

Also Read: Young “Daeshgram” Hackers Flood Official ISIS Propaganda Channels With Porn
Adarsh Verma

Adarsh Verma

Fossbytes co-founder and an aspiring entrepreneur who keeps a close eye on open source, tech giants, and security. Get in touch with him by sending an email — [email protected]

New on Fossbytes

Scroll to Top