A large malspam campaign using spoofed email addresses has attempted to infect recipients with Locky ransomware in roughly 20 million detected attacks since Tuesday, researchers from Barracuda Networks have reported.

According to Fleming Shi, Barracuda's senior vice president of advanced technology engineering, it appears that the bot behind the campaign is able to generate fake email addresses that make it look as if the offending email is arriving internally from the recipients' own organization. "This makes it a little more likely people will click on it," said Shi, speaking with SC Media.

In a blog post published on Thursday, Barracuda states that the emails come with a 7-zip attachment that purports to be documentation related to a business payment, but actually contains a malicious JavaScript file. Originally, Barracuda did not specify which ransomware family the malware belongs to, but it did note that the zip archive file concealed malicious .JS malware, a tactic that has been observed recently in a recent wave of Locky malspam campaigns, fueled by the Necurs botnet.

Another clue: the malspam emails' subject line includes a date, followed by a random number, which is also characteristic of the recent Locky attacks. Indeed, after further analysis, Barracuda is now officially confirming that the malware is in the Locky family. 

Shi told SC Media that the volume of attacks diminished on Thursday after peaking on Wednesday, but the campaign still continues as of the writing of this article.

"We advise against making payment to ransomware criminals because this doesn't guarantee the decryption of your files and it encourages them to target you again in the future," Barracuda advises in its blog post.