One of the world's most notorious and largest botnets used by cybercriminals to distribute the Dridex and Locky malware campaigns appears to have vanished from cyberspace. Security researchers have noted a sudden and distinct drop in cyber activities of these two popular malware strains, both of which relied heavily on the botnet dubbed Necurs for their propagation.
The recently emerged Locky malware strain had been gaining momentum and was first spotted in February. However, security researchers noted that it was rapidly evolving, providing cybercriminals with added arsenal to target more victims.
Dridex on the other hand, has been active since 2014 and is widely considered to be one of the most dominant banking trojans in cyberspace. In October 2015, the UK's National Crime Agency (NCA), the FBI and Europol formed a joint task force to combat Dridex, which unfortunately was not as effective in shutting down the malware as hoped.
Cybersecurity firm FireEye told Motherboard: "We can only tell that the Dridex and Locky spam campaigns stopped since June 1 in our observation. We cannot confirm how the botnet was brought down yet."
Commenting on the capabilities of Necurs, which he claimed to be the world's largest botnet, security researcher Kevin Beaumont said: "The deployment of Locky was a masterpiece of criminality — the infrastructure is highly developed, it was tested in the wild on a small scale on Monday (ransomware beta testing, basically), and the ransomware is translated into many languages. In short, this was well planned." However, after the botnet disappeared, he mentioned that no new command and control servers (commonly used by hackers to store stolen data and operate botnets) have appeared in cyberspace, indicating the cybercriminals behind the botnet may have gone dark as well.
It is still uncertain as to why and how Necurs so suddenly vanished off the depths of cyberspace. Coincidentally, Russia recently arrested 50 hackers suspected of conducting a bank heist in the "biggest ever" cybercrime bust. The arrest took place on 1 June, the same day that security researchers reported noticing a marked drop in cybercriminal activities.
However, Russian cybersecurity firm Group-IB, that aided the authorities in executing the mass arrests, said they have not noticed "any connection between Necurs Botnet going down and recent arrests in Russia". The firm also pointed out that the hacker group has only been known to target Russian and Ukrainian banks, which adds to the conundrum behind the mysterious disappearance of the Necurs botnet.