The latest Locky distribution campaign uses emails that pretend to be complaints from the victim’s ISP, stating that spam has been sent from the victim’s computer. The emails contain a ZIP attachment that uses social engineering to trick users into opening it: the file is named logs_[target_name].zip.
The ZIP file includes a JavaScript that, when opened, downloads an encrypted DLL that is decrypted into the %Temp% folder on the infected machine. Loaded using the legitimate Windows program Rundll32.exe, the DLL will install and execute the Locky ransomware.
As soon as the installation process has been completed, the ransomware scans the computer and network shares (including the unmapped ones) for specific file types and starts encrypting them. Encrypted files are renamed and appended the .AESIR extension.
After the encryption process has been completed, the malware displays a ransom note informing the victim on what happened with their files and providing instructions on how to pay the ransom to decrypt the files.
http://www.securityweek.com/fake-isp-complaint-emails-distribute-locky-ransomware-variant