penny stock pump-and-dump emails to booby-trapped files that lead to malware ( usually Locky or Dridex ) , has been spotted slingingAttack.Phishingthousand upon thousand of emails in the last three or four days . “ Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky , ” Cisco Talos researchers noted on Friday . In the first part of the spam campaign , the emails contain no text except in the Subject line , which simply says “ Receipt ” or “ Payment ” , followed by random numbers . Those numbers are seen again in the name of the attached PDF file ( as seen in the screenshot above ) . Later , the emails were made to look likeAttack.Phishingthey contained a scanned image in PDF format for the recipient to peruse . In both cases , the attached PDF contains embedded Word documents with macros , and in order for them to be opened and run the aforementioned macros , users are required to enable them . This is achieved through subterfuge : the victims are shown a note saying that the document is protected , and that they have to “ Enable editing ” in order to view it . Before that , the victims are also prompted to allow the opening of the file – a step that ’ s required for the malware to bypass the protection offered by the program ’ s sandbox . “ The word document itself contains an XOR ’ d Macro that downloaded the Locky sample from what is likely a compromised website , ” the researchers explained , noting that the DNS requests associated with the domain serving the malware have been spiking , but that it ’ s difficult to determine if these requests are from victims or the many security practitioners that are investigating this widespread campaign . Users who go through through all the motions required to serve the malware will end up with their files encrypted and the .osiris extension added to them . The criminals behind the ransomware are asking forAttack.Ransom0.5 Bitcoin ( around $ 620 ) in order to decrypt the files . Unfortunately for them , there is currently no way to decrypt the files without paying the ransomAttack.Ransom, so they ’ ll need to choose between losing the files ( if they have no backup ) or paying upAttack.Ransom( although there is no guarantee that the crooks will keep their word ) .