Malspam With JavaScript Attachment Leads To Locky Ransomware

We are currently seeing huge volumes of malicious JavaScript attachments being spammed at users through email. This particular spam campaign uses the typical social engineering lures like invoice notifications, payment slips, payment confirmations, tax related notifications, billing statements, purchase orders and the like.

The spammed mail contains a .zip file that when the user opens the zip, a JavaScript attachments surreptitiously triggers the embedded Locky ransomware. Once installed on a target computer, Locky reports back the infected systems information, then starts to encrypt files that have certain extensions,including those on unmapped network shares. It also renames the encrypted files to a random name and uses .locky as the file extension. This malware sets the system's desktop wallpaper to the following image. There is also a notepad file left on the desktop, which when opened, displays a typewritten version of the ransom note.

Each Locky victim is directed to a unique webpage that can only be accessed through the Tor anonymous browser. On that page, the victim may find bitcoin payment information, along with details on how they can get the decrypter tool for their files.