From: Joe holdman [holdmanJoe08@seosomerset.co.uk]The reference number varies in the subject. The attachment is a ZIP file containing elements of the recipients email address and words like "copy" or "invoices" plus a random number. These unzip into a folder called "letter" to give a .js file beginning with "letter_" and a .wrn file which also appears to be a script but which won't run by default.
Date: 30 March 2016 at 08:55
Subject: RE: Additional Information Needed #869420
We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.
An analysis of three scripts    shows binary downloads from:
This binary has a detection rate of 6/56. Automated analysis   shows network traffic to:
184.108.40.206 (Krek Ltd, Russia)
220.127.116.11 (OVH, France / Bondhost, Montenegro)
18.104.22.168 (TheFirst-RU, Russia)
These characteristics are consistent with Locky ransomware.