Necurs Botnet: From Sending Email With Ransomware to SPAM Pump&Dump

José Ferreira By José Ferreira • April 3, 2017

Necurs is one of the largest botnets in the world. It's notably known for spreading malware like Locky and Dridex cryptolockers. In 2016 was responsible for more than 90% of the malware spread by email. Last December, Necurs went silent and since then no email activity containing this malware was observed until March, 22.    

In the following 24 hours Necurs launched two bursts of emails containing spamThis huge botnet has a worldwide distribution:

This spam wave is only a plain text message. No attachments, no URLs  only a message tipping you about an imminent acquisition of “Incapta Incorporated”.


As a result, Incapta Incorporated stock spiked. Some hours later another burst another message with similar content and this kept the stocks at a high value.

Today similar waves are still hitting our spam traps. It’s not a sustained peak, but the botnet is still sending spam en masse.


This kind of spam is known as Pump & Dump and is not new, even for Necurs. However this SPAM Pump&Dump is a change for what we were seeing coming from Necurs in the last few months.

One thing is for sure: Necurs botnet is back in action whether ransomware or pump & dump spam.

Get Email Security Done Find out how AnubisNetworks helps ISPs and Service Providers making   top email security selling and management easy, fast, and secure.  GET MY FREE DEMO »