Amazon users targeted by Locky ransomware

Locky hides under “Your order has been dispatched” message

Amazon customers have been targeted with widespread ransomware attacks. This was detected by security researchers at Comodo. They are warning that Amazon users are being sent emails with attached infected Microsoft Word documents. The infection happens through the macro that immediately triggers the download of a malicious script.

The detected attacks are still being analyzed, though early reports show it to be the infamous Locky ransomware or its version in the form of a trojan-ransomware. The ransomware encrypts the victim’s files and displays a ransom note, demanding money for the decryption key. The number of infections is still not known at the moment. What seems is that this is a massive and aggressive campaign.

Those, who open the file and enable the macros end up with Locky


Researchers at Comodo say that this attack against the users of Amazon is one of the largest spam ransomware campaigns detected this year. The phishing emails come from [email protected], pretending to be an Amazon notification. The attackers did a good job by masking the messages – everything in the email header appears legitimate. The subject is: “Your order has been dispatched” (followed by a code number). There is no text body in the email, however, the attached malicious Word file does its trick once the user allows the macros usage. Those, who open the Word file and enable the macros end up with Locky ransomware and encrypted files.  

According to Comodo experts, the attack occurred on May 17 and lasted about 12 hours.  It is roughly calculated that there are about 30 million spam messages released, pretending to be an update from Amazon on a shipping order.

Locky Virus Ransomware File Removal

The malicious messages campaign was also detected by Proofpoint researchers, who put the estimate at about 100 million fake Amazon messages. According to them, the Locky ransomware attack came from U.S. to European email servers and included not only the malicious Word document attachment but also some Locky-laced JavaScript attachments.

The email campaign of Locky ransomware is not something new.  Security researchers have been ringing the bell of such attacks since the beginning of 2016. A huge distribution campaign of Locky was detected earlier in March, where the malware was distributed through a spam campaign via JavaScript attachments. This new attack over Amazon, however, shows another trend of ransomware distribution – the use of Microsoft Office macro attacks.

This recent case comes as a warning that everyone using the Internet should be aware of the variety of threats and their sophisticated ways of distribution. Learning how to prevent and deal with malware is essential for a safe online experience. With some simple tips like ensuring all devices are updated, the anti-malware software being regularly patched and safety backups made, many users may save their money and nerves.



About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment