A security researcher with the nickname “Racco42” found a new campaign that was pushing a new Locky variant that spread through spam emails that contain subject lines similar to E [date](random_num).docx. For example, E 2017-08-10 (698).docx. The message body contains “Files attached. Thanks”.
According to Racco42:
“#locky is back with “E 2017-08-09 (xxx).doc” campaign https://pastebin.com/Qbr66946″”
Email sample: ————————————————————————————————————– From: Jeanne@[REDACTED] To: [REDACTED] Subject: E 2017-08-09 (87).xls Date: Mon, 24 Jul 2017 07:51:08 +0000 Attachment: “E 2017-08-09 (87).zip” -> “E 2017-08-09 (443).vbs” ————————————————————————————————————– – sender address is faked to look to be from same domain as recepient – subject is “E 2017-08-09 (<2-3 digits>).<doc|docx|xls|xlsx|jpg|tiff|pdf|jpg>” – email body is empty – attached file “E 2017-08-09 (<2-3 digits>).zip” contains file “E 2017-08-09 (<2-3 digits>).vbs” a VBScript downloader“
These emails have a compressed file attached (zip) that use the same subject name, the attached file holds a VBS downloader script. The script contains one or more URLs that will be used to download the Locky ransomware executable to the Windows %Temp% folder and then execute it.
Once it executed, it will encrypt all files. The new Locky ransomware will then modify the file name and then add the “.diablo6.”, after that, it will remove the downloaded file (exe) and then display a ransom note to the victim that presents information on how to pay the ransom.
Sadly, it is not possible to recover the original files unless you pay a ransom of 0.49 Bitcoin (about $1,600 USD).