Not long ago we put together an overview of the top families, trends and innovations, and we showed how ransomware has evolved until it become one of the main threats affecting users and organizations. However, not everything is perfect for the ransomware authors, and this time we will focus on what is going wrong and how sometimes ransomware authors fail when trying to profit from victims.
As you may recall, Ramnit was target by a law enforcement takedown back in February 2015 and we at AnubisNetworks supported it. We kept our vigilance after that operation and since then the average number of infections in a 24 hours period was around 300,000. This big number of residual infections after a takedown is normal for big botnets like those created with Ramnit - if no one cleans an infected computer, it will remain infected even if the botnet command and control is down.
Anubis Networks began monitoring Necurs, a malware family known for it's rootkit capabilities, in August 2015. Since then we have been able to observe approximately 50.000 unique IP addresses connecting to our sinkhole over a 24 hour time period. However, we recently discovered that we were only seeing a small part of the whole botnet.