Here's one group of fans George R. R. Martin may not want on the Game of Thrones bandwagon — the authors of the Locky ransomware.

According to a recent discovery from researchers at PhishMe, the group behind the Locky ransomware are big fans of HBO's hit series, so much so that they've peppered recent scripts with names of show characters and other references.

Researchers found these references in the Visual Basic script that comes part of a ZIP or RAR archive attached to email spam. If users open these emails, download the archive, and run the VB script contained within, the file would download and install the Locky ransomware.

Variable names found in this VB script reference the Game of Thrones show, such as "Aria," "SansaStark," "RobertBaration," "JohnSnow," or "HoldTheDoor" (aka Hodor).

Furthermore, the term "Throne" was used 70 times inside the script.

Locky GoT references

"The runtime for this script is indifferent to the variable names. The variable names could be anything, including completely random combinations of letters and numbers," says Victor Cornell, PhishMe researcher.

"However, the criminals responsible for this attack chose a distinctive theme for their variables, thereby revealing their interest in this pop culture phenomenon," the expert added.

According to independent security researcher MalwareHunter, the script has been deployed in live infections for some weeks.


File name: SCNMSG00001018.vbs
MD5: 170ae05fb405e9f2b2a4474739b75a66             
SHA256: fc89d30e245a8b166af2e17b2d7b6835ff15999d746b91214edcfdc7b9c5db35

Image credits: HBO