Without Necurs, Locky Struggles

January 18, 2017 - 1 Comment

This post authored by Nick Biasini with contributions from Jaeson Schultz

Locky has been a devastating force for the last year in the spam and ransomware landscape. The Locky variant of ransomware has been responsible for huge amounts of spam messages being sent on a daily basis. The main driver behind this traffic is the Necurs botnet. This botnet is responsible for the majority of Locky and Dridex activity. Periodically Necurs goes offline and during these periods we typically see Locky activity decrease drastically. One of these periods is currently ongoing.




In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Great article! We have seen a definite decrease in the SOC for this alert type. It is nice to see the correlation put together this way.
    Good job guys!