The following information was obtained from the different cyber security sources and provided as a notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

The information provided is classified as Restricted pursuant to the PNP Regulation 200-012 on document security with impact rating of significant and threat rating of high, based on PNP Information Communication p. 22 and p.129.


The NECURS BOTNET is a distributor of many pieces of malware, most notably Locky ransomware and the Dridex banking Trojan.
Oftentimes, necurs infect computer systems when downloaded or sent as an e-mail attachment to a malicious spammed mail.Once it is downloaded, it disables security services and elements as their main routine. Necurs is combined with information theft as well as performing certain routines to avoid detection and make their presence persist (ensuring their automatic execution upon system straup). They may also drop component files and/or malware.

Computer users affected by necurs variants will find the security systems compromised for it effectively shut down services and elements that relates to system security. One variant of necurs is capable of deactivating the system firewall and disable users from being able to turn it on again. The infected computer system may fall prey of other information-stealing malware that can give cybercriminals remote access capability to the infected system itself. Also, another variant of necurs is capable of disabling security programs by disabling services with which it is associted with along with the drivers. This leave the user’s system vulnerable for any other malware to attack it.


The community are advised to follow the best practices in securing and protecting devices from Necurs botnet:

• Use a firewall to block all incoming connections from Internet to services that is not for public;
• Use strong passwords;
• Allow only legitimate programs with minimal privileges as necessary;
• Disable autoplay to prevent automatic lunching of executabl files;
• Turn-off sharing if not necessary;
• Turn-off and remove unnecessary services;
• Always use updated anti-virus;
• Regularly change the passwords for FTP accounts;
• Inspect all e-mail prior to download. Make sure to delete e-mails with attachments from unexpected or unknown source; and
• Install anti-virus and anti-malware solutions.
For additional information, please refer to the following security websites:


Please contact CSRAD, PNP ACG for any inquiries related to this CYBER SECURITY BULLETIN at This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it. or call 7230401 local 5337.