Home Malware ‘Received Documents From Your Bank’ Emails Contain Locky Ransomware

‘Received Documents From Your Bank’ Emails Contain Locky Ransomware

by Brett M. Christensen

‘Payment’ emails claim that the sender has received documents from your bank and urge you to open an attached file to review these documents. The emails claim to be from a Financial CEO, Accounts Manager, Financial Manager, or similar management staff titles.

Brief Analysis:
The emails are not from any legitimate financial manager. Nor does the attachment contain banking documents.  Instead, the attached .zip file contains a malicious JavaScript file that, if opened, can download and install Locky ransomware.


Subject: FW: Payment 16-03-#647764

Dear [First name derived from email address],

We have received this documents from your bank, please review attached documents.

Yours sincerely,

Wendell Cortez
Financial CEO

This email has been scanned by the Symantec Email Security.cloud service.

Detailed Analysis:
According to malware emails that are currently hitting inboxes, the senders have received documents from your bank and you should review these documents by opening an attached .zip file. The emails, which have a subject line consisting of the word ‘Payment’ along with a date and a random number, also include the name of the supposed staff member who sent them.

These staff names vary in different versions of the emails, as do the job description of the sender and the attachment name.  The supposed sender might be described as a ‘Financial CEO’,  an ‘Accounts Manager’,  a ‘Financial Manager’ or a similar title. To further the illusion of legitimacy, the criminals have included a footer line claiming – falsely – that the emails have been scanned by the ‘Symantec Email Security.cloud service’.

Opening the attached .zip file reveals a malicious JavaScript (.js) file. Clicking this .js file will activate the JavaScript and cause it to download and install Locky ransomware.

Like other types of ransomware, Locky will lock all of the files on your computer and then demand a fee to receive a decryption key. Unfortunately, there is no easy or straightforward way of dealing with the malware and recovering your files unless you have good backups saved away from the infected computer.  Even if you decide that the only option is to pay up, there is no guarantee that you will receive the unlocking key since you are dealing with criminals.

If you receive one of these emails, do not open any attachments that it may have and do not click any links that it contains.

Locky Ransomeware

Last updated: March 14, 2016
First published: March 14, 2016
By Brett M. Christensen
About Hoax-Slayer

Malware Threat Articles
Malware spam: “FW: Payment 16-03-#507586” / “We have received this documents from your bank, please review attached documents.”
‘Locky’ ransomware – what you need to know


Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,