Locky ransomware is back in the spotlight, after FireEye Labs, a cybersecurity and malware protection provider, observed the virus has evolved and is targeting hospitals with a massive campaign.

This latest campaign began between August 9 and 15, with the largest spike in attempts on August 11.

The ransomware strain – first observed by security researchers in February this year – began as a straight-forward virus sent in an email attachment disguised at a Microsoft Word invoice.

[Also: Security vendors ready ransomware decryption tools to help hospitals under cyberattack]

This latest campaign, however, uses DOCM files (macro-enable files used in Microsoft Word) to deliver the ransomware payload. According to a FireEye Labs’ report, this is a distinct change from campaigns distributed in March, where JavaScript-based downloaders were used.

The malicious attachment was sometimes accompanied with a message that stated someone else had asked for financial files to be forwarded, according to FireEye.

The latest Locky email campaigns are directed at various industries, but the amount of emails sent to healthcare organizations vastly surpasses other industries, including financial and federal government agencies. Further, these are global attacks, but the U.S. tops the list again for campaign size.

“These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximize their profits,” according to report authors.

FireEye researchers have also discovered the banking malware Dridex, which also leverages Microsoft Word macros, has nearly stopped. The authors explained this might explain the upswing in Locky distribution.

Each email campaign has distinct ‘one-off’ codes, used to download Locky from the malware server and the malicious URL is embedded within macro code, using the same encoding function.

“The volume of Locky ransomware downloaders is increasing and the tools and techniques being used in campaigns are constantly changing,” according to the report. “On top of that, cybercrime trends have shown that attackers are distributing more ransomware these days than banking Trojans, as the former appears to be more lucrative.” 

Cybersecurity special report: Ransomware will get worse, hackers targeting whales, medical devices and IoT trigger new vulnerabilities