The Necurs botnet has , once again , begun pushing Locky ransomware on unsuspecting victims . The botnet , which flip-flops from sending Attack.Phishing penny stock pump-and-dump emails to booby-trapped files that lead to malware ( usually Locky or Dridex ) , has been spotted slinging Attack.Phishing thousand upon thousand of emails in the last three or four days . “ Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky , ” Cisco Talos researchers noted on Friday . In the first part of the spam campaign , the emails contain no text except in the Subject line , which simply says “ Receipt ” or “ Payment ” , followed by random numbers . Those numbers are seen again in the name of the attached PDF file ( as seen in the screenshot above ) . Later , the emails were made to look like Attack.Phishing they contained a scanned image in PDF format for the recipient to peruse . In both cases , the attached PDF contains embedded Word documents with macros , and in order for them to be opened and run the aforementioned macros , users are required to enable them . This is achieved through subterfuge : the victims are shown a note saying that the document is protected , and that they have to “ Enable editing ” in order to view it . Before that , the victims are also prompted to allow the opening of the file – a step that ’ s required for the malware to bypass the protection offered by the program ’ s sandbox . “ The word document itself contains an XOR ’ d Macro that downloaded the Locky sample from what is likely a compromised website , ” the researchers explained , noting that the DNS requests associated with the domain serving the malware have been spiking , but that it ’ s difficult to determine if these requests are from victims or the many security practitioners that are investigating this widespread campaign . Users who go through through all the motions required to serve the malware will end up with their files encrypted and the .osiris extension added to them . The criminals behind the ransomware are asking for Attack.Ransom 0.5 Bitcoin ( around $ 620 ) in order to decrypt the files . Unfortunately for them , there is currently no way to decrypt the files without paying the ransom Attack.Ransom , so they ’ ll need to choose between losing the files ( if they have no backup ) or paying up Attack.Ransom ( although there is no guarantee that the crooks will keep their word ) .

Criminals are still trying to shake down Attack.Ransom users of the Ashley Madison dating/cheating online service . As you might remember , the service was hacked Attack.Databreach in 2015 , and the attackers stole Attack.Databreach sensitive personal and financial data of 37 million users , and later dumped it online . Since then , cyber criminals have been attempting to monetize this data by sending emails to users whose info they found in the dump , threatening to reveal all of it to the target ’ s nearest and dearest , and asking for money Attack.Ransom in exchange for silence . The emails generally contain some of the target ’ s personal data as to make the threat believable , and often claims that the attackers have found the target ’ s Facebook account and , therefore , have the means to contact their friends , family , and employer . In this latest round of blackmail attempts Attack.Ransom , they are threatening to set up a site and publish all the stolen information . “ On May 1 2017 we are launching our new site – Cheaters Gallery – exposing those who cheat and destroy families . We will launch the site with a big email to all the friends and family of cheaters taken from Facebook , LinkedIn and other social sites . This will include you if do not pay to opting out , ” the email says , as noted by ZDNet ’ s Robin Harris , who received one . The extortionists are asking for Attack.Ransom some $ 500 ( in Bitcoin ) . It ’ s impossible to tell whether these crooks are the same ones that mounted previous email blackmail attempts Attack.Ransom . What is definitely obvious is that they are betting on there still being some users with too much to lose if the information gets out . Harris did not share the contents of the email he received , but recipients can be sure that if their Facebook or other social media account isn ’ t specified in it , the blackmailers haven ’ t actually connected the two accounts . More likely than not , they have simply written a script that takes specific info from the Ashley Madison data dump Attack.Databreach , inserts it in a template email , and fires these emails off to as many recipients as possible .