Microsoft dismantles Necurs botnet that targeted 9m devices since 2012

The Necurs botnet, one of the most prolific botnets used by cyber criminals worldwide since 2012, was taken down in a recent operation led by Microsoft that spanned 35 countries.

Microsoft employees tracked a hacker group, believed to be based in Russia, that hijacked nine million computers around the world using the Necurs botnet to send spam emails to illegally obtain money from victims. The group was also involved in stock market scams and ransomware campaigns.

"The Necurs botnet is one of the largest networks in the spam email threat ecosystem, with victims in nearly every country in the world. During a 58-day period in our investigation, for example, we observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims," said Microsoft in a blog post.

The Necurs botnet generated domains weeks or months in advance to host its command-and-control server, where they connect to receive new commands. Once the Necurs botnet distributes and installs ransomware, the latter encrypts all system files and then drops a ransom note within each affected directory.

Breaking the domain generation algorithm, Microsoft and its industry partners identified a comprehensive list of future Necurs C&C server domains. This can now block and prevent Necurs from any further registration.

Tom Burt, Microsoft Vice President for Customer Security & Trust, said that the company was able to accurately predict over six million unique domains that would be created in the next 25 months. "By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet,” he said.

By gaining control of existing Necurs infrastructure, Microsoft and its industry partners will be able to receive information about all the bots located across the world. According to Microsoft, during a recent 58-day investigation, its engineers tracked one single Necurs-infected computer sending out more than 3.8 million emails to more than 40.6 million victims.

Not only was Microsoft able to track down and dismantle a larne number of Necurs botnets, it also obtained permission from the U.S. District Court for the Eastern District of New York this week "to take control of U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers".

The Necurs botnet is well known to security researchers as a distributor of ransomware and has been used by various hackers since 2015. In that year, the botnet was, after the Kelihos Trojan, the second-most frequently used attack weapon to disrupt or to hack into UK businesses.

Between October and December 2015, cyber-attacks using the Necurs botnet grew 30 times and hackers often used a destructive cocktail of Necurs and Bedep, another Trojan, to attack businesses. The ransom notes contain the headline 'IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS' and contain the following message for affected PC users:

"All your files have been encrypted due to a security problem with your PC. Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files."

"The Necurs botnet has been active for many years, undertaking spam campaigns and malware delivery, most notably Locky and Dridex ransomware. Although this is welcome news, the scale of the malicious botnet issue is highlighted by the sheer numbers of compromised machines involved. This is one of many botnets in operation and recent months have seen the resurgence of the Emotet related botnet," says Carl Wearn, head of E-crime at Mimecast.

"The real takeaway has to be that general standards of cyber-security and hygiene overall, particularly in relation to IoT, are clearly currently inadequate. So much so that botnets of millions of machines can successfully operate daily over many years.

"Until a concerted and coordinated global effort to secure all users and infrastructure is undertaken to a common agreed minimum standard, new and resurrected botnet’s will continue to proliferate and plague users and organisations with spam email and malware. Prevention is clearly better than a cure as Necurs and Emotet, as only two examples, have operated with relative impunity for years," he adds.

MORE ABOUT: