Security researchers have discovered a new spam campaign which started last Friday, where ransomware is downloaded and run by a macro hidden inside a Word document that is in turn nested within a PDF, like a Russian nesting dolls – or matryoshka dolls. The ransomware is a variant of Locky.
While Locky had previously faded from the spotlight, this notorious ransomware is once again flooding email inboxes in a new spam campaign, which appears to be launched from the Necurs botnet.
Locky ransomware was previously embedded in email with attachments using script formats recognized by Windows hosts, such as .js, .wsf, and .hta file types.
This brand new variant is borrowing infection techniques recently observed in a Dridex malware campaigns. The new Locky is currently appearing in user mailboxes in very high volumes.
The Necurs botnet, which is the source of the spam attack, has previously been used to send out more traditional (and relatively benign) spam – such as stock pump-and-dump spam, Russian dating spam and work-from-home spam campaigns.
This malware/botnet hookup probably sees a new partnership in cybercrime – the botnet and the ransomware teams appear to either have merged, or partnered in a customer / supplier type relationship. The extent of this partnership is unclear at this time.