Last week our team witnessed a new variant of the Locky ransomware in the wild.
The payload gets delivered by a spoofed e-mail coming from the users own e-mail address with a zip file ‘DocumentXX.zip’ attached to it, where XX is a random number. The email subject is ‘DocumentXX’ and the e-mail body is empty. We sincerely advise you not to open the zip file because it unleashes Locky on your systems.
The latest trend for ransomware is to run only in memory to circumvent AV detection but this also implies that it won’t survive a reboot. So if you really don’t have a clue which systems are infected try rebooting all systems that can go off line.
For further information on how to deal with Locky: http://www.cyberforce.be/blog/2016/2/19/new-ransomware-strain-detected
The same method of delivery seems to be used by new Dridex variants: https://myonlinesecurity.co.uk/document1-pretending-to-come-from-your-own-email-address-js-malware-leads-to-locky-ransomware/