Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Massive Volume of Ransomware Downloaders being Spammed

We are currently seeing extraordinarily huge volumes of JavaScript attachments being spammed out, which, if clicked on by users, lead to the download of a ransomware. Ransomware encrypts data on a hard drive, and then demands payment from the victim for the key to decrypt the data.

Our Spam Research Database saw around 4 million malware spams in the last seven days, and the malware category as a whole accounted for 18% of total spam arriving at our spam traps. The graph below shows hourly spam traffic for the malware category for the past 30 days - note the relatively low levels of activity to the left, and huge peaks on the right, representing the ransomware downloader campaigns. As you can see the campaigns are not continuous, but concentrated bursts, with peaks of 200K emails hitting our servers in a single hour.

Figure 1: Volume of Ransomware-ridden Spam for the past month

These campaigns are coming from the same botnet responsible for previously spammed documents with malicious macros which downloaded the Dridex trojan. The actors behind the campaigns have merely changed the delivery mechanism (.js attachment) and the end malware (ransomware).

The Destruction

The notorious payloads of ransomware have been covered many times in blogs and mainstream media. This type of malware has a very destructive payload. Here's a walkthrough on how this ransomware gets propagated and infects a system. This particular spam campaign was sending a JavaScript attachment that downloads Locky ransomware:

Figure 2: Recent spam typically uses Invoice-related subject lines
Figure 3: Extracted JavaScript file

Running the JavaScript downloads the ransomware executable:

Figure 4: The JavaScript code showing the download URL of the payload.

A registry key may be added; in this case it adds the Registry key HKEY_CURRENT_USER\Software\Locky in the infected system.

Figure 5: Registry key added by Locky Ransomware

The malware connects to its Control servers that are hardcoded in the code. It then reports back the infected systems information:

Figure 6: Malware code showing the Command and control communication routine

The Locky ransomware looks for list of file extensions in the infected system's hard drive and then encrypt those files:

Figure 7: The code routine where Locky looks for files to encrypt





















































































































Figure 8: List of file extensions that Locky ransomware encrypts

The malware renames the encrypted files to a random name and uses .locky as the file extension.


Ransom notes are dropped in every encrypted file's folder and the desktop background is also replaced with a ransom note image.


A unique webpage is generated for each victim that can only be accessed through Tor anonymous browser. This page contains a bitcoin payment setup where the victim could pay for a decrypter tool.


Blocking these mass spam attacks at the email gateway is important. In a way, apart from the huge volumes and the ransomware payload, these malicious spam campaigns are not new. It's the same botnet, different day, and different payload. Our Trustwave Secure Email Gateway is currently proving very effective against these campaigns. All layers, including the various anti-spam and anti-malware layers, play a part.

For those wanting extra protection, also carefully consider your inbound email policy:

  • Blocking inbound .js attachments at the gateway
  • Blocking inbound Office documents with macros at the gateway.

While these steps might seem very strict, some companies have opted for them, at the same time as considering alternative ways to pass valid .js and macro documents into the organisation.

And of course your last line of defense against ransomware infection is always having an up to date and good backup process.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More