Cyren Security Blog

Subscribe to this Blog

Locky 2? Jaff Ransomware Launched from Necurs Botnet

by Arna Magnúsardóttir

Botnets Malware Threat Analysis

Despite WannaCrypt grabbing all the headlines, it is far from being the only ransomware in circulation. A second wave of Jaff ransomware is now being distributed by the stealthy Necurs botnet. Starting on Monday, May 8 (around 9:30 UTC), the Necurs botnet was harnessed to distribute a new Locky-style email campaign with an initial global outbreak of around 20 million emails. Cyren saw and blocked about 50 million Jaff emails in less than 24 hours during a subsequent wave, and on Thursday approximately 65 million Jaff emails were detected and blocked.

WannaCrypt Ransomware Spreads Like A Worm Via NSA Exploit

by Magni Reynir Sigurðsson

Malware Ransomware Threat Analysis

UPDATE (May 14): WannaCrypt/WannaCry is still being delivered through file sharing services over https at hxxps:// and hxxps://


The WannaCrypt ransomware (aka WannaCryptor, Wcrypt, and WannaCry) has managed to infect thousands of systems within just a few hours of its first appearance yesterday, with estimates on the order of 100,000 PC infections in 100 countries. There are reports of disruption at the likes of British National Health Service medical centers, German Railway ticket computers, FedEx and Telefonica, which apparently ordered employees to disconnect their computers from the corporate network in an attempt to stymie the spread of WannaCrypt. The ransomware encrypts files found on the system and initially demands ransom payment of $300 delivered in Bitcoin to a specific address, with the payment demand amount reportedly escalating over time.

Is Monday the Worst Day of the Week...for Security?

by Daisy Spiridopoulos

Email Security Malware Phishing Ransomware Threat Analysis Web Security

The IT manager responsible for information security at an enterprise account — let’s call him “Steve” — recently shared an interesting story.  In general, he felt that they handle security pretty well, but he detailed one challenge that they haven't yet solved — users roaming outside the office security perimeter.

It's Baaack! Dridex Targets UK With a New Set of Guns

by Maharlito Aquino

Malware Threat Analysis

In the midst of the recent revival of Dridex, the notorious family of banking trojans, a Dridex attack scheme targeted at users in the UK was detected this week (and is being blocked) by Cyren's security cloud.

Students Targeted by Test Prep SEO Attack

by Lordian Mosuela

Malware Threat Analysis

College entrance exams are anxiety inducing for many students, now made all the more stressful by the discovery by Cyren researchers of malware targeting students seeking an exam reviewer or test preparation  service. A recent search for “college entrance exam reviewer pdf” led to an SEO (search engine optimization) attack based on these keywords.

Companion Ransomware — 2-for-1 Malware Distribution

by Maharlito Aquino

Malware Ransomware Threat Analysis

As reported in February, Cerber and other ransomware groups are now offering Ransomware-as-a-Service, giving affiliates/partners a percentage of the collected ransom. 

In a new sort of "two-for-one" malware deal, Cyren has detected variants of the Kovter click-fraud malware being distributed with “companion” Cerber ransomware by the Kovter malware team.