This post was authored by Alex Chiu, Warren Mercer, and Jaeson SchultzSean Baird and Matthew Molyett contributed to this post.

Back in May, the Necurs spam botnet jettisoned Locky ransomware in favor of the new Jaff ransomware variant. However, earlier this month Kaspersky discovered a vulnerability within Jaff which allowed them to create a decryptor. This turn of events seems to have caused the miscreants behind Necurs to scramble to distribute a different ransomware payload. Falling back on their old tricks, they have selected to re-distribute Locky ransomware. The malware is being transmitted via email using an .exe file encapsulated within two compressed .zip archives.

Read more »


Talos Group

Talos Security Intelligence & Research Group