Botnet Necurs again intensively spreads last year's cryptographer Locky, in May 2017. Almost disappeared from the radar. In this case it turned out that the new version of Locky can only work under WindowsXP and Windows Vista. Most likely, the attackers will soon correct the error.

Unsuccessful Trojan-heir.

The infamous botnet Necurs launched a new, unusually intense wave of encryption Locky. This Trojan occupied one of the first places in terms of intensity in 2016. , But later for some time ceased to be considered the most urgent threat. In May 2017 g. Botnet Necurs stopped distributing it at all. Now a new wave has begun, but most unexpectedly, the new version of the cryptographer is not able to work on operating systems older than Windows Vista.

One of the most likely explanations for the unexpected return is that the Necurs operators chose to switch to the newer and seemingly more sophisticated encryptor Jaff. Apparently, Locky, Jaff and Necurs are the fruits of one and the same cybercrime grouping.

Locky is dangerous in the first place because its encryption algorithm is extremely stable. The researchers, no matter how hard they tried, could not find weaknesses in it.

But in Jaff the vulnerable place was found, and Kaspersky Lab quickly released the tools for decryption.

Did not expect?.

Most likely, the creators of Jaff themselves were puzzled by such a turn. And they tried to return to Locky, because the encrypted files can not be decrypted.

However, the attackers made a number of mistakes. When the waves of spam containing Locky rose again, many security researchers noted this; And everyone had a peculiar problem: Locky did not work on test systems. The reason could be installed by experts from Talos: the Data Execution Prevention (DEP) system, implemented on all Windows operating systems older than Windows 7, blocks the work of the unpacker Locky, so it can not start.

"This is unlikely for a long time," said Georgy Lagoda, CEO of SEC-Consult Services. - Apparently, the attackers will soon realize the error and try to fix it. So only a few days will pass, and Locky will again become a very topical threat ".

Differences are small, but significant.

The new version of Locky spreads very intensively: it accounts for about 7.2% of all spam on the Internet. The new version differs very little from the previous ones - the same extension of the encrypted files, the same URL structure of the command servers.

However, something has changed: for example, Locky began to use a new method to run binary files.

Also, there were typical headers and the content of mail messages, in which the attachment is malicious, although they are still represented by accounts, financial notices, orders confirmations and so on. In addition, the attachments are now archived twice: in a file with a ZIP extension there is another such archive, and already there is an executable file.

To top it all off, the new version is also equipped with means for detecting virtual machines and protecting against attempts to analyze the code, which is why researchers did not immediately understand that this malware is not so.