agsandrew - Fotolia
Researchers saw a surge of activity, as the Scarab ransomware spread quickly to millions of victims via an email campaign run by botnet, but updates since that initial wave have been lacking.
Ben Gibney and Roland Dela Paz, security researcher and senior security researcher, respectively, for Forcepoint Security Labs, reported a surge in volume of Scarab ransomware email being blocked by security systems on Nov. 23. According to the researchers, more than 12.5 million email messages were captured between 7 a.m. and 12 p.m. GMT, and the current campaign of Scarab ransomware used email that looked like scanned documents, similar to "Locky ransomware campaigns distributed via Necurs."
The Scarab ransomware was first seen in the wild in June, but the recent resurgence has been credited to the malware being spread via the Necurs botnet. Necurs was first discovered by cybersecurity vendors in 2012, and the botnet has grown steadily since that time. The Necurs botnet was previously used to spread the Dridex banking malware and Locky ransomware, though the botnet's activity decreased sharply following a series of raids and arrests of suspected hackers in Russia last year.
"By employing the services of larger botnets such as Necurs, smaller ransomware players such as the actors behind Scarab are able to run a massive campaign with a global reach," Gibney and Dela Paz wrote in a blog post. "It remains a question whether this is a temporary campaign, as was the case with Jaff, or if we will see Scarab increase in prominence through Necurs-driven campaigns."
It is still unclear if the campaign was temporary, as Forcepoint has not released any updates to its initial figures since the post on Nov. 23, and the company has not responded to requests for more data as of the time of this article.
Andy Norton, director of threat intelligence at Lastline in Redwood City, Calif., said the Necurs botnet can be a dangerous delivery system, but as yet, it has only been seen propagating ransomware.
"Necurs is so popular to push malware and ransomware because it contains lots of concealment technology, like the use of packers to evade static analysis, and lots of evasion technology to avoid being discovered by behavioral malware analysis platforms," Norton told SearchSecurity. "It is able to survive inside an enterprise security environment, making it successful as a platform for delivering other subsequent malicious payloads."