Jump to content

Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates


Notice: Unfortunately due to some server side issues, registration via Hotmail / Outlook email addresses do not work, members are requested to use some other email addresses like Gmail to register here. We apologize for the inconvenience caused because of it.

Sign in to follow this  

Locky Ransomware has returned with a spam campaign

Recommended Posts

adi    1,130

A security researcher with the nickname “Racco42‏” found a new campaign that was pushing a new Locky variant that spread through spam emails that contain subject lines similar to E [date](random_num).docx. For example, E 2017-08-10 (698).docx. The message body contains “Files attached. Thanks”.

According to Racco42‏:
“#locky is back with “E 2017-08-09 (xxx).doc” campaign https://pastebin.com/Qbr66946″

  1. Email sample:
  2. ————————————————————————————————————–
  3. From: [email protected][REDACTED]
  4. To: [REDACTED]
  5. Subject: E 2017-08-09 (87).xls
  6. Date: Mon, 24 Jul 2017 07:51:08 +0000
  8. Attachment: “E 2017-08-09 (87).zip” -> “E 2017-08-09 (443).vbs”
  9. ————————————————————————————————————–
  10. – sender address is faked to look to be from same domain as recepient
  11. – subject is “E 2017-08-09 (<2-3 digits>).<doc|docx|xls|xlsx|jpg|tiff|pdf|jpg>”
  12. – email body is empty
  13. – attached file “E 2017-08-09 (<2-3 digits>).zip” contains file “E 2017-08-09 (<2-3 digits>).vbs” a VBScript downloader


These emails have a compressed file attached (zip) that use the same subject name, the attached file holds a VBS downloader script. The script contains one or more URLs that will be used to download the Locky ransomware executable to the Windows %Temp% folder and then execute it.


Once it executed, it will encrypt all files. The new Locky ransomware will then modify the file name and then add the “.diablo6.”, after that, it will remove the downloaded file (exe) and then display a ransom note to the victim that presents information on how to pay the ransom.

Sadly, it is not possible to recover the original files unless you pay a ransom of 0.49 Bitcoin (about $1,600 USD).


< Here >

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this