Locky resurgence driven by Necurs

The Locky Ransomware, first detected in February 2016 has surged back up Check Point’s latest Global Threat Index (GTI). It now stands at No 2 in the GTI, only beaten by the Roughted malvertising attack. This is the first time Locky has appeared in the GTI since November 2016.

Check Point puts this current rise down to the Necurs botnet which has itself risen up the chart. It now stands at No 10. Locky and Necurs have been linked since 2016. Despite that link, both have been fairly quiet over recent months.

According to the researchers, 11.5% of companies they monitored were hit by Necurs and Locky in September. That’s a significant number of attacks and it is likely that some of these were successful. However, Check Point doesn’t provide those numbers.

The researchers at Check Point say: “This latest resurgence of the Locky ransomware family shows that businesses must remain vigilant to all forms of malware – both brand-new and well-established variants. Sophisticated cybercriminals will continually seek ways of tweaking existing tools to make them potent again, while powerful botnets can give old variants a new lease of life, enabling them to rapidly target users around the globe.”

What does this mean

Ransomware continues to be a major revenue stream for hackers and cybercriminals. There is a constant stream of new evasion techniques being published on the Dark Web. It doesn’t take much for a hacker to add some of these to a known piece of malware and make it dangerous again.

As the price of bitcoin continues to rise it gives increasing impetus to ransomware creators and distributors. They now need fewer and fewer successful infections to be profitable. That means that organisations cannot assume that the problem will become manageable. Instead, they need to significant increase their defences and education for users.


Please enter your comment!
Please enter your name here