On Tuesday 2017-01-03 , BleepingComputer published an article about `` Merry X-Mas Ransomware '' . This ransomware was first seen by people like @ PolarToffee , @ dvk01uk , and @ Techhelplistcom . Merry X-Mas Ransomware was first reported as distributed through malicious spam ( malspam ) disguised as Attack.Phishing FTC consumer complaints . By Sunday 2017-01-08 , I saw an updated version of the Merry X-Mas Ransomware distributed through malspam disguised as Attack.Phishing court attendance notifications . It seemed odd to find Christmas-themed ransomware two weeks after Christmas ; however , Orthodox Christian communities celebrate Christmas on January 7th . Ultimately , such Christmas-themed ransomware is n't odd if it 's from a Russian actor . With that in mind , let 's review the characteristics of Sunday 's Merry X-Mas ransomware . Show above : Comparison of Merry X-mas ransomware notifications from 2017-01-03 and 2017-01-08 . The malspam was a fake notification to appear in court . Email headers indicate the sender 's address was spoofed Attack.Phishing , and the email came from a cloudapp.net domain associated with Microsoft . The zip archive contained a Microsoft Word document with a malicious macro . If macros were enabled on the Word document , it downloaded and executed the ransomware .