According to security firm AppRiver, this weekend was very busy for the cyber criminals.
Researchers are saying the bad guys sent out 14 million emails laced with Locky ransomware. Analyst Jonathan French figures that at least one botnet was used to send out the emails.
Locky was first seen in Feb. 2016 and when it finds a victim, encrypts the files, it then asks for .5 bitcoin which is valued at approximately $340.
AppRiver was able to monitor the activity with a global network of honeypots.
“Virus hits are tabulated on a global scale across our servers,” French explained, “we are able to pull the hit statistics for a rule we have and see the counts over time. If we know which specific rule is blocking which campaign — such as one we add for brand new malware variants — we are able to give a size to the amount of emails caught as well as a time frame.”
“The initial guess is due to the sudden drop in traffic during the 3 p.m. time frame and then a subsequent jump in virus traffic again,” French said, “it seems unlikely two botnets would be that coordinated in sending malware. Looking closer at some of the sending IP addresses between the two, we can see that many of the IPs were active during both malware pushes.”
Locky was dormant for a while and researchers are postulating the botnets may have been in need of upgrading before the push.