‘Received Documents From Your Bank’ Emails Contain Locky Ransomware

‘Payment’ emails claim that the sender has received documents from your bank and urge you to open an attached file to review these documents. The emails claim to be from a Financial CEO, Accounts Manager, Financial Manager, or similar management staff titles.

Brief Analysis:
The emails are not from any legitimate financial manager. Nor does the attachment contain banking documents.  Instead, the attached .zip file contains a malicious JavaScript file that, if opened, can download and install Locky ransomware.


Subject: FW: Payment 16-03-#647764

Dear [First name derived from email address],

We have received this documents from your bank, please review attached documents.

Yours sincerely,

Wendell Cortez
Financial CEO

This email has been scanned by the Symantec Email Security.cloud service.

Detailed Analysis:
According to malware emails that are currently hitting inboxes, the senders have received documents from your bank and you should review these documents by opening an attached .zip file. The emails, which have a subject line consisting of the word ‘Payment’ along with a date and a random number, also include the name of the supposed staff member who sent them.

These staff names vary in different versions of the emails, as do the job description of the sender and the attachment name.  The supposed sender might be described as a ‘Financial CEO’,  an ‘Accounts Manager’,  a ‘Financial Manager’ or a similar title. To further the illusion of legitimacy, the criminals have included a footer line claiming – falsely – that the emails have been scanned by the ‘Symantec Email Security.cloud service’.

Opening the attached .zip file reveals a malicious JavaScript (.js) file. Clicking this .js file will activate the JavaScript and cause it to download and install Locky ransomware.

Like other types of ransomware, Locky will lock all of the files on your computer and then demand a fee to receive a decryption key. Unfortunately, there is no easy or straightforward way of dealing with the malware and recovering your files unless you have good backups saved away from the infected computer.  Even if you decide that the only option is to pay up, there is no guarantee that you will receive the unlocking key since you are dealing with criminals.

If you receive one of these emails, do not open any attachments that it may have and do not click any links that it contains.

Locky Ransomeware

Last updated: March 14, 2016
First published: March 14, 2016
By Brett M. Christensen
About Hoax-Slayer

Malware Threat Articles
Malware spam: “FW: Payment 16-03-#507586” / “We have received this documents from your bank, please review attached documents.”
‘Locky’ ransomware – what you need to know