News Stay informed about the latest enterprise technology news and product updates.

Scarab ransomware joins with Necurs botnet for faster spread

The Scarab ransomware received an upgrade, and researchers have seen it being spread via the Necurs botnet, meaning the malware can spread to millions in a handful of hours.

Researchers saw a surge of activity, as the Scarab ransomware spread quickly to millions of victims via an email...

campaign run by botnet, but updates since that initial wave have been lacking.

Ben Gibney and Roland Dela Paz, security researcher and senior security researcher, respectively, for Forcepoint Security Labs, reported a surge in volume of Scarab ransomware email being blocked by security systems on Nov. 23. According to the researchers, more than 12.5 million email messages were captured between 7 a.m. and 12 p.m. GMT, and the current campaign of Scarab ransomware used email that looked like scanned documents, similar to "Locky ransomware campaigns distributed via Necurs."

The Scarab ransomware was first seen in the wild in June, but the recent resurgence has been credited to the malware being spread via the Necurs botnet. Necurs was first discovered by cybersecurity vendors in 2012, and the botnet has grown steadily since that time. The Necurs botnet was previously used to spread the Dridex banking malware and Locky ransomware, though the botnet's activity decreased sharply following a series of raids and arrests of suspected hackers in Russia last year.

"By employing the services of larger botnets such as Necurs, smaller ransomware players such as the actors behind Scarab are able to run a massive campaign with a global reach," Gibney and Dela Paz wrote in a blog post. "It remains a question whether this is a temporary campaign, as was the case with Jaff, or if we will see Scarab increase in prominence through Necurs-driven campaigns."

It is still unclear if the campaign was temporary, as Forcepoint has not released any updates to its initial figures since the post on Nov. 23, and the company has not responded to requests for more data as of the time of this article.

Andy Norton, director of threat intelligence at Lastline in Redwood City, Calif., said the Necurs botnet can be a dangerous delivery system, but as yet, it has only been seen propagating ransomware.

"Necurs is so popular to push malware and ransomware because it contains lots of concealment technology, like the use of packers to evade static analysis, and lots of evasion technology to avoid being discovered by behavioral malware analysis platforms," Norton told SearchSecurity. "It is able to survive inside an enterprise security environment, making it successful as a platform for delivering other subsequent malicious payloads."

Dig Deeper on Emerging cyberattacks and threats



Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What email security does your organization use to protect against ransomware?







  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...