New Ransomware Strain Making the Rounds, Hidden in Infected Word Files

As of February 2016, there is a new strain of malware circulating the internet, hidden in infected Microsoft Word documents. This ransomware, known as “Locky,” arrives in an user’s inbox as an email with a Microsoft Word document attached, containing malicious macros.  Once enabled, the macros will scramble and encrypt files and the user must either pay a ransom, or hope that a recent backup will prevent any lost data.

How to Identify an Email Containing Locky

According to KnowBe4’s security awareness training blog, an email with ransomware will have a subject line similar to "ATTN: Invoice J-99223146" and a message such as "Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice." The content of the word document will appear scrambled and illegible with various fonts and symbols, and the top of the document will prompt the user to enable macros in order to read the document.

Screenshot of infected word document, courtesy of KnowBe4:

Locky Ransomware photo

How to Avoid Ransomware

The good news is that the user has to enable the macros in order to fall victim to Locky. By educating yourself on ransomware and how it works, you can learn to avoid it. The most important thing is to be proactive.

Build your human firewall:

  • Be cautious about unsolicited attachments
  • Don't enable macros in emailed document attachments

Take IT security measures:

  • Regularly back up files
  • Install patches often


What to do if Your Computer Comes Under Attack

Dealing with Locky can put your organization out of commission until you have resolved the issue. There's no one thing to do, but KnowBe4's blog does a good job describing a potential course of action in their article It’s Here. New Ransomware Hidden in Infected Word Files .


Leave a Comment