With no warning, one of the world's largest criminal botnets—a massive collection of computers used to launch attacks—has disappeared. Researchers have reported huge drops in traffic for two of the most popular pieces of malware which rely on it.
"We can only tell that the Dridex and Locky spam campaigns stopped since June 1 in our observation. We cannot confirm how the botnet was brought down yet," Joonho Sa, a researcher for cybersecurity company FireEye, told Motherboard in an email.
Dridex is a piece of malware typically used to empty bank accounts, while Locky is a particularly widespread form of ransomware, which encrypts a victim's files until they pay a hefty bounty in bitcoin. The two campaigns have been linked in the past.
It's not clear what exactly will happen to Locky victims now that its infrastructure has seemingly gone offline. There's a chance that those infected with the ransomware may be unable to successfully pay the criminals and have their files unlocked.
Back when Locky was launched in February of this year, security researcher Kevin Beaumont wrote, "The deployment of Locky was a masterpiece of criminality—the infrastructure is highly developed, it was tested in the wild on a small scale on Monday (ransomware beta testing, basically), and the ransomware is translated into many languages. In short, this was well planned."
After the botnet, called Necurs, vanished, Beaumont told Motherboard in a Twitter message, "We've seen a huge decrease in malicious traffic since. Locky has completely disappeared," and added that no new command and control servers—which hackers use to keep tabs on and direct their botnet—have popped up since. Beaumont claimed Necurs was the world's largest botnet.
There is only circumstantial evidence that may point to why the botnet has vanished. On June 1, the same day FireEye and Beaumont reported a large dip in malicious traffic, Russia's FSB security service said it had arrested a gang of around 50 hackers, Reuters reported. Those hackers had stolen over 1.7 billion roubles ($25.33 million) from Russian institutions and banks, and used a trojan called Lurk.
Group-IB, a Russian cybersecurity firm that works with law enforcement, doesn't think there's a link with the arrests though.
"We don't see any connection between Necurs Botnet going down and recent arrests in Russia. The arrests of 50 hackers were made in connection to the Lurk group, and that particular group only targeted Russian and Ukrainian banks in their fraudulent activity," Nikolay Grunin, PR manager for Group-IB told Motherboard in an email.
For the time being, why exactly Necurs disappeared remains a mystery.
Correction: Due to an email mixup, this story originally attributed a quote from FireEye's Joonho Sa to Sarah Coutermarsh, a FireEye spokesperson who had actually forwarded the statement.