From: Marta Wood
Date: 24 March 2016 at 10:10
Subject: FW: Payment Receipt
Thank you for your payment. It is important that you print this receipt and record the receipt number as proof of your payment.
You may be asked to provide your receipt details should you have an enquiry regarding this payment.
Technical Manager - General Insurance
Attached is a ZIP file that incorporates the recipients name plus a word such as payment, details or receipt plus a random number. This achive contains a randomly-named script (starting with "PM") and ending with .js.js plus which appear to be a set of hidden .BIN files which may well be junk.
VirusTotal detection rates for the scripts are fairly low (examples      ). Automated analysis             shows binary download locations at:
Two of locations are 404ing, the two that work serve up a different binary each. There are probably many more download locations and more binaries, I will try to add a list later.
The VirusTotal results for the binaries   indicate that this is ransomware, specifically is it Locky. Automated analyses       show it phoning home to:
184.108.40.206 (ITL, Latvia)
220.127.116.11 (Total Server Solutions, US)
18.104.22.168 (ITL, Netherlands)
22.214.171.124 (PE Dunaeivskyi Denys Leonidovich, Ukraine)
Some further download locations from another source (thank you!):
MD5s for downloaded binaries: