From: Janis Faulkner [FaulknerJanis8359@ono.com]
Date: 29 April 2016 at 11:13
Subject: Second Reminder - Unpaid Invoice
We wrote to you recently reminding you of the outstanding amount of $8212.88 for Invoice number #304667, but it appears to remain unpaid.
For details please check invoice attached to this mail
Regards,
Janis Faulkner
Chief Executive Officer - Food Packaging Company
Attached is a ZIP file with a name similar to unpaid_invoice551.zip which contains a randomly-named script. Oddly, most of the script appears to be text copy-and-pasted from the Avira website.
The scripts I have seen download slightly different binaries from the following locations:
cafeaparis.eu/f7yhsad
amatic.in/hdy3ss
zona-sezona.com.ua/hj1lsp
avcilarinpazari.com/u7udssd
VirusTotal detection rates are in the range of 8/56 to 10/56 [1] [2] [3] [4]. In addition to those reports, various automated analyses [5] [6] [7] [8] [9] show that this is Locky ransomware phoning home to:
91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
83.217.8.155 (Park-web Ltd, Russia)
31.41.44.246 (Relink Ltd, Russia)
89.108.84.155 (Agava Ltd, Russia)
51.254.240.60 (Relink, Russia / OVH, France)
I strongly recommend that you block traffic to:
91.234.32.19
83.217.8.155
31.41.44.246
89.108.84.155
51.254.240.60