After my last post I saw a lot of Locky related SPAM, so I decided to take a look at the downloader script that I skipped before. Almost all Locky downloader scripts that I have seen before arrived at the endpoint through a SPAM mail that usually contains a ZIP or RAR archive with a single JavaScript file that has a phishing name like swift_xxx.js or addition_xxx.js. I still find puzzling why people keep clicking on these files but it seems to be a very effective way of spreading this (and not only this) ransomware.