by Ron Benvenisti. In the furtherance of public-private partnerships, I am providing this DHS/US-CERT Technical Alert (TA) (10-24-2017) in order to assist the community members in guarding against the persistent malicious actions of cyber criminals. 

There has been a recent and dramatic increase in unsolicited emails attempting to deliver either the “Asasin” version of the Locky ransomware variant or the Trickbot banking trojan to state government email addresses. Further analysis revealed that this is linked to a global ransomware campaign that appears to be using the Necurs botnet to distribute the malicious emails.

These emails originate from various random domains and the subject line contains the words:

“Your Invoice” followed by a string of five or six digits. Attached to the email is a Microsoft Word document named “Invoice_file_[random digits]. doc.”  

This document attempts to abuse Microsoft’s Dynamic Data Exchange (DDE) feature and downloads either Locky or Trickbot if the recipient opens the attachment and clicks “Yes” on the associated prompt. See the examples below.

I am reminding everyone never to click on links or open attachments delivered with unexpected or unsolicited emails. If you have received and taken action on these emails, isolate the affected systems from the network immediately to prevent the malware from spreading. If you were impacted by Locky, wipe the infected system(s) and restore data from CLEAN backups, if possible.  

There is no publicly available decryption tool for Locky at this time.  

If you were impacted by Trickbot, perform a full system scan using a reputable anti-malware solution, proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems, and enable multi-factor authentication where available.