Talos observed the first large scale Locky campaign in months from Necurs botnet. This campaign leveraged techniques associated with a recent Dridex campaign and is currently being distributed in very high volumes. Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky. The campaign used the same subject line for tens of thousands of messages. The word document itself contains an XOR’d Macro that downloaded the Locky sample from what is likely a compromised website.”]
Source: https://blog.talosintelligence.com/2017/04/locky-returns-necurs.html

