Email
Password
Remember meForgot password?
    Log in with Twitter

article imageRansomware-spreading botnet takes desktop screenshots

By Karen Graham     Oct 19, 2017 in Technology
The Necurs botnet has been inactive for much of the first half of 2017, but it is now back, with a vengeance. Recently, Millions of malicious emails have been distributed, with most of them spreading Locky ransomware.
The ransomware was discovered recently by researchers at Symantec, who say the group behind Necurs has added some additional functions to its toolkit, primarily a downloader, to gain some additional insights into its victims, hence the screenshots being collected. The screenshots are then sent back to a remote server.
However, the hackers have upgraded their malware, as it now includes an error-reporting feature that sends information back to the cyber-attackers on any issues their downloader may encounter. Symantec suggests the hackers are using the error-reporting function to check on the performance of their malware, much the same as legitimate software companies collect crash reports.
The Necurs botnet has only been in existence for five years, but its reach has been phenomenal, allowing it to reach and take over up to 6 million zombie endpoints. This allows them to download some of the worst banking Trojans and ransomware threats in batches of millions of emails at a time.
Basically, Necurs botnet is indirectly responsible for a major portion of cybercrimes, and worldwide, damages incurred by this group are estimated to surpass $ 6.0 trillion by 2021, according to Security Intelligence.
Fake invoices - Do not open them
Symantec writes: "The new emails use a tried-and-tested invoice-based social engineering format, and generally, contain the following details:
Subject: Status of invoice [FAKE INVOICE NUMBER]
Attachment: [FAKE INVOICE NUMBER].html
Typical invoice email sent by Necurs botnet.
Typical invoice email sent by Necurs botnet.
Symantec
The body of the email contains a message urging the reader to open the attachment to check the invoice.
Standard precautions apply here; when strangers offer you unsolicited invoices or deliveries via email, the safest course of action is to simply trash the email.
If the attached .html file is opened, it will download a JavaScript via an embedded iframe. The JavaScript will download the payload which will either be Locky or Trickybot."
Just don't open email from people or sites you are not familiar with
Many of us get emails from sites we are not sure of or people who claim to know who we are. Symantec has several precautions we should take to stay protected from ransomware and other cyberattacks.
1. Delete any emails you receive that look suspicious, especially if they contain links or attachments.
2. Always keep security software up to date to protect yourself against any new viruses or variants of malware.
3. Keep your operating system (OS) and other software updated. Software updates often include patches for newly discovered security vulnerabilities that could be exploited by attackers.
4. Make a habit of backing up any files stored on your computer. If your computer does become infected with ransomware, any files can be restored once the malware has been removed.
More about Ransomware, Symantec, Necurs botnet, Locky ransomware, Cybersecurity