Necurs botnet malspam delivering a new Ransomware via fake scanner /copier messages

We have had an almost 2 week break from Locky ransomware. This morning in UK we suddenly see the return. It is almost as if they have timed the new version to spam out on Thanksgiving day in USA , where the AV companies and security teams are off on their long weekend holiday.  The next in the never ending series of  downloaders from the Necurs botnet  is an email with the subject of  scanned from ( printer or scanner name)   pretending to come from copier@ your own email address or company domain.

However it is definitely a ransomware but doesn’t look like Locky. The ransom note is very different . These all have blank email bodies with just an attachment and the subject. Whether this is a new version of Locky ransomware or a new ransomware using the Locky / Necurs distribution networks is open to debate at the moment

Looking at the Online sandbox reports appear to indicate that these do not change  the file extension when they encrypt it

I am not certain that there are running properly and fully encrypting. The ransom note is overly complicated with no obvious way for the victim to easily pay the ransom. They are asking the victim to email with the personal identification key in the txt file. This would mean it needs manual sending of any decryption keys and not automatic as in previous cases.


They use email addresses and subjects that will entice, persuade, scare or shock  a recipient to read the email and open the attachment.

You, your email server or any device on your network has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.

The subjects in this vary but are all copier or scanner related

  • Scanned from Lexmark
  • Scanned from HP
  • Scanned from Canon
  • Scanned from Epson

To read the original article :

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *