World's biggest botnet spewed 12.5 million booby-trapped spam emails in 6 hours
Ransomware infects computers and demands Bitcoin, a cryptocurrency, in return.
One of the biggest computer botnets in the world – known as Necurs – recently hosted a massive spam campaign which spewed out more than 12.5 million emails containing ransomware.
Multiple security experts noted a spike in activity, as hackers used a malware known as Scarab in an attempt to lock down computer files and demand a ransom in Bitcoin, a cryptocurrency.
The campaign, researchers said, started on 23 November (Thursday) and within the first six hours had circulated millions of booby-trapped emails.
Most of the potential victims were in the UK, Australia, France and Germany and, upon analysis, internal code in the ransomware was found to contain references to the popular HBO show Game of Thrones.
According to the Daily Mail (27 November), at one point more than 2 million emails were being sent every hour.
The ransom note read: "Your files are now encrypted! You have to pay for decryption in Bitcoins. The price depends on how fast your write to us. After payment we will sent you the decryption tool."
Luckily, a firm called Forcepoint was able to block a large chunk of the outgoing emails.
"By employing the services of larger botnets such as Necurs, smaller ransomware players such as the actors behind Scarab are able to run a massive campaign with a global reach," explained two researchers from Forcepoint, Ben Gibney and Roland Dela Paz, in a blog post.
"It remains a question whether this is a temporary campaign, as was the case with Jaff, or if we will see Scarab increase in prominence through Necurs-driven campaigns."
F-Secure, a Helsinki-based security and anti-virus company, said in a separate blog post that it was surprising to see Scarab ransomware active in such a massive spam campaign.
It said Necurs remains "the biggest deliverer of spam" in the world, with between five and six million infected computers being used to help power its cybercrime services.
The botnet spreads banking Trojans known as Dridex and Trickbot, alongside "pump-and-dump" penny-stock spam, the firm added.
Luckily for future victims, experts said Scarab is not as sophisticated as other malware.
Chris Doman, security researcher at cybersecurity company AlienVault, explained: "The Necurs botnet has been one of the largest since its initial inception in 2012. It's commonly used by very organised criminal gangs, such as those behind Dridex and Locky.
"Thankfully Scarab is already well-detected by most anti-virus and intrusion detection vendors.
"Scarab looks less sophisticated than some other ransomware, like Locky, and the usage of an e-mail based ransom payment system is very simple in contrast to its wide distribution."
Ransomware has plagued web users in 2017. Multiple widespread outbreaks – including WannaCry and NotPetya – infected tens of thousands of machines in more than 150 counties.
In many cases, it is difficult to combat as it spreads via email and only takes a single click to take hold.