From: Joe holdman [holdmanJoe08@seosomerset.co.uk]The reference number varies in the subject. The attachment is a ZIP file containing elements of the recipients email address and words like "copy" or "invoices" plus a random number. These unzip into a folder called "letter" to give a .js file beginning with "letter_" and a .wrn file which also appears to be a script but which won't run by default.
Date: 30 March 2016 at 08:55
Subject: RE: Additional Information Needed #869420
We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.
An analysis of three scripts [1] [2] [3] shows binary downloads from:
cainabela.com/zFWvTM.exe
downloadroot.com/vU4VAZ.exe
folk.garnet-soft.com/jDFXfL.exe
This binary has a detection rate of 6/56. Automated analysis [4] [5] shows network traffic to:
93.170.131.108 (Krek Ltd, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
82.146.37.200 (TheFirst-RU, Russia)
These characteristics are consistent with Locky ransomware.
Recommended blocklist:
93.170.131.108
5.135.76.18
82.146.37.200