What’s Next for the World’s Biggest Botnet?

Posted on by

What’s Next for the World’s Biggest Botnet?

The world’s biggest botnet, which was responsible for delivering the Locky Ransomware in recent months, temporarily shut down operations just over 3 weeks ago, on May 31st. Known as Nercurs, it appeared to cease all activity on this date and, until a couple of days ago, remained completely inactive. Any hopes that this inactivity would become a more long-term feature of the digital landscape were unfortunately dashed when signs of life were spotted again on 19th June. New servers were set up by the criminals behind the botnet and bots were seen to be connecting to the new backend in large numbers on Sunday. According to the experts monitoring this activity, the behaviour of the bots suggests that they are still under the control of their masters, or that somebody else has taken control of the network and therefore of all its bots too.

Less Spam but for How Much Longer?

The shutdown of Nercurs on May 31st had an immediate effect, with the volume of emails carrying the aforementioned Locky Ransomware decreasing significantly. While this was welcome news as far as web security experts were concerned, it was never likely to last. Now that Nercurs appears to be awakening once again from its slumber, the question on everybody’s lips is just what is it going to be used for next? Can we expect a resumption of the Locky campaign or are the criminals behind the network gearing up for a completely new campaign that will deliver an as yet unknown threat to recipients all over the world? The answer to both these questions could be yes: Locky emails increased in volume as soon as the network became active again but as the ransomware payload they were carrying was the same as that detected by antivirus and antispam software just over 3 weeks ago, it is unlikely to pose much of a threat in its current form.

Why Shut Down?

Industry observers have noted that in the past, when large networks such as Nercurs have gone down for any length of time, it has usually been because the people behind them were making big changes to network infrastructure or carrying out major upgrades to the servers on which the networks were hosted. If this is the case with Nercurs, any new campaign that it might be gearing up for could see the distribution of spam emails on an unprecedented scale: a sobering thought for any corporate network administrators who happen to be reading this piece of news.

Neutralising the Botnets

While stopping the botnets from communicating with backend servers or facilitating the transportation of malicious code via spam emails is beyond the capabilities of any single company or organisation, it is possible to effectively neutralise them by stopping the payload they seek to deliver from ever reaching its intended targets. If every network administrator ensures their anti spam filters are in full working order and up to date, far fewer messages will get through and the world will be a slightly better place.