Initially, I thought our system missed a threat. Turns out, that despite being called “89h766b.exe”, it was in fact a harmless text file containing the text “STUPID LOCKY”.
So why did this seemingly malicious email campaign only spread a harmless text message complaining about Locky? My best guess is that some well-intentioned vigilante gained access to the command and control infrastructure attackers use to deliver their malicious executables. It looks like this vigilante replaced the harmful ransomware file with an innocuous text file, thus preventing the evil email campaign from working. While we thank the vigilante for their efforts, we recommend customers do not allow emails with .js attachments and use APT Blocker. — Rob Collins