{"id":1465,"date":"2019-04-06T19:33:39","date_gmt":"2019-04-06T19:33:39","guid":{"rendered":"http:\/\/www.syyhoaxanalyzer.com\/?p=1465"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T17:00:00","slug":"Fake-'Order-Status'-Emails-Contain-Locky-Malware","status":"publish","type":"post","link":"https:\/\/www.syyhoaxanalyzer.com\/?p=1465","title":{"rendered":"Fake &#8216;Order Status&#8217; Emails Contain Locky Malware"},"content":{"rendered":"<div>\n<p><span style=\"color: #ff0000;\"><strong>Outline:<\/strong><\/span><br \/>\n&#8216;Order Status&#8217; emails thank you for your recent order and claim that you can view details of the supposed order by opening an attached .zip file.<br \/>\n<script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script><br \/>\n<!-- HS Net Top Content Responsive --><br \/>\n<ins class=\"adsbygoogle\"\n     style=\"display:block\"\n     data-ad-client=\"ca-pub-0355887770822260\"\n     data-ad-slot=\"4870821038\"\n     data-ad-format=\"auto\"><\/ins><br \/>\n<script>\n(adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><br \/>\n<span style=\"color: #ff0000;\"><strong>Brief Analysis:<\/strong><\/span><br \/>\nThe emails are not legitimate order notifications. The attached .zip file contains a malicious JavaScript (.js) file. If opened, this .js file can download and install Locky ransomware. Once installed, Locky encrypts the files stored on your computer and then demands that you pay online criminals a fee to receive a decryption key.<\/p>\n<div class=\"example\"><span style=\"color: #ff0000;\"><b>Example:<\/b><\/span><br \/>\n<strong>Subject: FW: Order Status #168750<\/strong><\/p>\n<p>Dear sales,<br \/>\nWe would like to thank you for your recent order.Order Status updated on: 21\/03\/2016<br \/>\nYour Customer ID: 168750<br \/>\nYour Order ID: 951E514AE5-M-2016<br \/>\nInvoice Number: 4186369Delivery Note:<br \/>\nWe received your order and payment on 17\/03\/2016Your order details are attached.<\/p>\n<p>Best regards,<br \/>\nRita Rowland<br \/>\nChief Technology Officer<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"example\">\n<p><span style=\"color: #ff0000;\"><b>Example:<\/b><\/span><\/p>\n<p><strong>Subject: FW: Order Status #241785<\/strong><\/p>\n<p>Dear brett,<\/p>\n<p>We would like to thank you for your recent order.<\/p>\n<p>Order Status updated on: 21\/03\/2016<br \/>\nYour Customer ID: 241785<br \/>\nYour Order ID: 0D95B02626-M-2016<br \/>\nInvoice Number: 8866173<\/p>\n<p>Delivery Note:<br \/>\nWe received your order and payment on 17\/03\/2016<\/p>\n<p>Your order details are attached.<\/p>\n<p>Best regards,<br \/>\nJoan Huber<br \/>\nBusiness Director USA Job<\/p>\n<\/div>\n<p><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script><br \/>\n<!-- HSNet Article Center --><br \/>\n<ins class=\"adsbygoogle\"\n     style=\"display:block\"\n     data-ad-client=\"ca-pub-0355887770822260\"\n     data-ad-slot=\"5727909035\"\n     data-ad-format=\"auto\"><\/ins><br \/>\n<script>\n(adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><br \/>\n<span style=\"color: #ff0000;\"><strong>Detailed Analysis:<\/strong><\/span><br \/>\nA spate of emails currently hitting inboxes purport to be &#8216;order status&#8217; notifications and claim that you can read more information about a recent order by opening an attached .zip file. The emails \u00a0have the subject line &#8216;FW: Order Status&#8217; along with a supposed order number. The bodies of the emails \u00a0thank you for your recent order and \u00a0list \u00a0further details about the supposed order. They finish with the name and job description of the \u00a0supposed sender.<\/p>\n<p>However, these emails are certainly not legitimate order notifications and the attachments do not contain order details. Instead, the attached .zip files harbour \u00a0a malicious JavaScript (.js) file. If you click this .js file, it will download and install <a title=\"'Locky' ransomware \u00e2\u20ac\u201c what you need to know\" href=\"https:\/\/nakedsecurity.sophos.com\/2016\/02\/17\/locky-ransomware-what-you-need-to-know\/\">Locky malware<\/a> on your computer. Once Locky is installed, it will encrypt all of your personal files and rename them with the extension .locky. A message will appear on your screen that explains that your files are locked and you must pay a ransom in online currency Bitcoin to get a decryption key.  \u00a0And, the only way you can pay this ransom and &#8211; possibly &#8211; get \u00a0the \u00a0decryption key is to make contact with criminals skulking in the Dark \u00a0Web. Since you are dealing with criminals, there is certainly no guarantee  \u00a0that you will actually receive the key even if you do pay up.<\/p>\n<p>Unfortunately, there is no easy way of ridding the computer \u00a0of \u00a0this malware. However, if \u00a0you \u00a0have good recent backups, you may be able to reformat the computer and reinstall your files from these \u00a0backups.<\/p>\n<p>Details, such as order, invoice, and customer numbers as well as the name and job description of the supposed sender may vary in different versions of these emails. Note also that there are several other similar payment related malware emails being distributed. These emails also contain Locky. Be very wary of any email that claims to contain information about a <a title=\"'Payment Declined' Emails Contain Locky Ransomware\" href=\"http:\/\/hoax-slayer.net\/payment-declined-emails-contain-locky-ransomware\/\">declined \u00a0payment<\/a>, an <a title=\"Bogus 'Payment Accepted' Email Carries Locky Ransomware\" href=\"http:\/\/hoax-slayer.net\/bogus-payment-accepted-email-carries-locky-ransomware\/\">accepted payment<\/a>, <a title=\"'Received Documents From Your Bank' Emails Contain Locky Ransomware\" href=\"http:\/\/hoax-slayer.net\/received-documents-from-your-bank-emails-contain-locky-ransomware\/\">bank documents<\/a>, credit notes, recent orders, or other payment or invoice related issues. If you receive one of these emails, do not open any attachments that it contains.<\/p>\n<p><a href=\"http:\/\/hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-4.jpg\" data-rel=\"penci-gallery-image-content\"  rel=\"attachment wp-att-1355\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"1355\" data-permalink=\"https:\/\/www.hoax-slayer.net\/fake-order-status-emails-contain-locky-malware\/locky-ransomware-4\/\" data-orig-file=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-4.jpg\" data-orig-size=\"800,470\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"locky-ransomware-4\" data-image-description=\"\" data-medium-file=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-4-300x176.jpg\" data-large-file=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-4.jpg\" class=\"aligncenter size-full wp-image-1355\" src=\"https:\/\/hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-4.jpg\" alt=\"Locky Ransomware\" width=\"800\" height=\"470\" srcset=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-4.jpg 800w, https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-4-300x176.jpg 300w, https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-4-768x451.jpg 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/a><\/p>\n<div align=\"center\">\n<script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script><br \/>\n<!-- HS Net Bottom AdLinks --><br \/>\n<ins class=\"adsbygoogle\"\n     style=\"display:block\"\n     data-ad-client=\"ca-pub-0355887770822260\"\n     data-ad-slot=\"1358951439\"\n     data-ad-format=\"link\"><\/ins><br \/>\n<script>\n(adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/div>\n<p class=\"date\">Last updated: March 22, 2016<br \/>\nFirst published: March 22, 2016<br \/>\nBy Brett M. Christensen<br \/>\n<a class=\"foot\" href=\"http:\/\/www.hoax-slayer.com\/about.shtml\">About Hoax-Slayer<\/a><\/p>\n<p class=\"ref\">References<br \/>\n<a title=\"'Payment Declined' Emails Contain Locky Ransomware\" href=\"http:\/\/hoax-slayer.net\/payment-declined-emails-contain-locky-ransomware\/\">&#8216;Payment Declined&#8217; Emails Contain Locky Ransomware<\/a><br \/>\n<a title=\"Bogus 'Payment Accepted' Email Carries Locky Ransomware\" href=\"http:\/\/hoax-slayer.net\/bogus-payment-accepted-email-carries-locky-ransomware\/\">Bogus &#8216;Payment Accepted&#8217; Email Carries Locky Ransomware<\/a><br \/>\n<a title=\"'Received Documents From Your Bank' Emails Contain Locky Ransomware\" href=\"http:\/\/hoax-slayer.net\/received-documents-from-your-bank-emails-contain-locky-ransomware\/\">&#8216;Received Documents From Your Bank&#8217; Emails Contain Locky Ransomware<\/a><br \/>\n<a title=\"'Locky' ransomware \u00e2\u20ac\u201c what you need to know\" href=\"https:\/\/nakedsecurity.sophos.com\/2016\/02\/17\/locky-ransomware-what-you-need-to-know\/\">&#8216;Locky&#8217; ransomware \u00e2\u20ac\u201c what you need to know<\/a><\/p>\n<p>&nbsp;<\/p>\n<p><\/br><\/br> Original Source : <a href=\"https:\/\/www.hoax-slayer.net\/fake-order-status-emails-contain-locky-malware\/\" target=\"_blank\">https:\/\/www.hoax-slayer.net\/fake-order-status-emails-contain-locky-malware\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Outline: &#8216;Order Status&#8217; emails thank you for your recent order and claim that you can view details of the supposed order by opening an attached .zip file. Brief Analysis: The emails are not legitimate order notifications. The attached .zip file contains a malicious JavaScript (.js) file. If opened, this .js file can download and install [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":6890,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1465","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hoax-inggris"],"_links":{"self":[{"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/posts\/1465"}],"collection":[{"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1465"}],"version-history":[{"count":0,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/posts\/1465\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/media\/6890"}],"wp:attachment":[{"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1465"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1465"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1465"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}