Locky Ransomware has returned with a spam campaign

A security researcher with the nickname “Racco42‏” found a new campaign that was pushing a new Locky variant that spread through spam emails that contain subject lines similar to E [date](random_num).docx. For example, E 2017-08-10 (698).docx. The message body contains “Files attached. Thanks”.

According to Racco42‏:
#locky is back with “E 2017-08-09 (xxx).doc” campaign https://pastebin.com/Qbr66946″

1. Email sample:
2. ————————————————————————————————————–
3. From: Jeanne@[REDACTED]
4. To: [REDACTED]
5. Subject: E 2017-08-09 (87).xls
6. Date: Mon, 24 Jul 2017 07:51:08 +0000
8. Attachment: “E 2017-08-09 (87).zip” -> “E 2017-08-09 (443).vbs”
9. ————————————————————————————————————–
10. – sender address is faked to look to be from same domain as recepient
11. – subject is “E 2017-08-09 (<2-3 digits>).<doc|docx|xls|xlsx|jpg|tiff|pdf|jpg>”
12. – email body is empty
13. – attached file “E 2017-08-09 (<2-3 digits>).zip” contains file “E 2017-08-09 (<2-3 digits>).vbs” a VBScript downloader

These emails have a compressed file attached (zip) that use the same subject name, the attached file holds a VBS downloader script. The script contains one or more URLs that will be used to download the Locky ransomware executable to the Windows %Temp% folder and then execute it.

Once it executed, it will encrypt all files. The new Locky ransomware will then modify the file name and then add the “.diablo6.”, after that, it will remove the downloaded file (exe) and then display a ransom note to the victim that presents information on how to pay the ransom.

Sadly, it is not possible to recover the original files unless you pay a ransom of 0.49 Bitcoin (about $1,600 USD).