![\"blackfridayspam3\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/BlackFridaySpam3.svg\")
<\/p>\n
Figure 1: The Black Friday\/Cyber Monday\u00a0themed spam triggers an infection chain that leads to a ransomware infection<\/em><\/p>\n But, as it\u2019s a chain of events, you can stop the infection at several points. Let\u2019s trace the infection chain:<\/p>\n Locky<\/a> is a ransomware family that encrypts files using a public key. It\u2019s been known to be spread by the downloader Nemucod<\/a>. We have been tracking the Nemucod-Locky<\/a> tandem, and we have seen it evolve over time, changing attachment file names and social engineering lures. This Black Friday\/Cyber Monday\u00a0version is just the latest of what looks like a continuous campaign.<\/p>\n Here are samples of the fake Amazon email messages:<\/p>\n Figure 2: A sample fake Amazon email that also spoofs Royal Mail as the courier<\/em><\/p>\n Figure 3: A sample fake Amazon email that also spoofs FedEx as the courier<\/em><\/p>\n Figure 4: A sample fake Amazon email that also spoofs DHL as the courier<\/em><\/p>\n In what looks like an attempt to evade anti-spam solutions that depend on the hash of the email body, the character “=” is added in random places in the email. The malware authors could have reused the message from a previous spam campaign, and needed only to change the positions of the added character. This changes the hash of the email body, and\u00a0it might prove effective against some email filters.<\/p>\n The email attachment is a ZIP file that contains an obfuscated JavaScript (.js) file, detected as\u00a0TrojanDownloader:JS\/Nemucod<\/a>:<\/p>\n Figure 5: The ZIP attachment contains a malicious JavaScript file<\/em><\/p>\n Figure 6: The JavaScript file is obfuscated<\/em><\/p>\n When opened, the JavaScript connects to the following URLs to download a file:<\/p>\n The downloaded file is an encrypted blob, which the JavaScript decrypts to a .DLL file and then executes. This file is a DLL version of Ransom:Win32\/Locky.A<\/a>.<\/p>\n Ransom:Win32\/Locky.A<\/a> encrypts files and renames them to this format: [victim computer ID] \u2013 [hexadecimal file identifier].aeris<\/em>. The extension .aeris<\/em> is the latest in a list that Locky<\/a> has used for the files it encrypts: .locky<\/em>, .zepto<\/em>, .odin<\/em>, .shit<\/em>, and .thor<\/em>.<\/p>\n The ransomware assigns an ID to the victim computer, which it uses for the file name of encrypted files. It then connects to\u00a0command-and-control (C&C) servers to report this ID and other information about the infected computer.<\/p>\n It drops the following ransom note, which instructs the victim to pay to regain access to the files: %Desktop%-INSTRUCTION.bmp<\/em>:<\/p>\n Figure 7: Ransom:Win32\/Locky.A<\/a> leaves this ransom note<\/em><\/p>\n The malware analyzed for the blog post have the following SHA1:<\/p>\n To avoid falling prey to this new ransomware, here are some tips:<\/p>\n For end users<\/strong><\/p>\n For IT administrators<\/strong><\/p>\n <\/p>\n\n
![\"black-friday-email-1\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/black-friday-email-1.png\")
<\/p>\n![\"black-friday-email-2\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/black-friday-email-2.png\")
<\/p>\n![\"black-friday-email-3\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/black-friday-email-3.png\")
<\/p>\n![\"black-friday-spam-javascript-in-zip\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/black-friday-spam-javascript-in-zip.png\")
<\/p>\n![\"black-friday-spam-obfuscated-javascript\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/black-friday-spam-obfuscated-javascript-1024x404.png\")
<\/p>\n\n
![\"black-friday-infection-ransom-note\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/black-friday-infection-ransom-note.jpg\")
<\/p>\n\n
\n
\n
Prevention and mitigation<\/h2>\n
\n
\n