Spikes in Spam Email JavaScript Attachments Leading to Locky Ransomware

March 14, 2016 8:56 am David Bisson

Over the past month, researchers have spotted high volumes of spam email JavaScript attachments that, if opened by a user, leads to the download of Locky ransomware.

Rodel Mendrez, a security researcher at Trustwave, explains in a blog post that he has observed “extraordinary huge volumes of JavaScript attachments” in punctuated bursts of spam email activity. Trustwave’s servers were sometimes hit with 200K spam emails in a single hour.

The spam emails each consist of a message that attempts to lure the user into clicking on an attachment that masquerades as a .ZIP file labelled “document_invoice.” In actuality, the attachment is a JavaScript file that downloads Locky ransomware.

Believed to be distributed through the same botnet that once spammed users with the Dridex trojan, Locky shares information about the infected system with the ransomware authors once it connects to a command and control (C&C) server. The malware then encrypts all files that contain common file extensions found on the hard drive and adds .LOCKY as the new extension.

When the encryption process is complete, Locky replaces the computer’s background with a ransom note, which includes a link to a website accessible only via the Tor browser. There the victim is asked to penny up 0.5 BTC (approximately US$200) for a decryption key that can restore their files.

Locky is the same ransomware that caused the Hollywood Presbyterian Medical Center to shutter its computer system for a week before the hospital gave in and paid the ransom fee, which in this case was 40 BTC (approximately US$17,000).

Mendrez recommends that organizations should consider blocking inbound .js attachments and Office documents with macros at the gateway. Educating your users about your organization’s email policy can also go a long way towards avoiding malware infections.

MetaCompliance can help your organization improve employee awareness of risks and corporate policies.