Locky Ransomware`s authors have recently started using a different tactic to spread their product and infect victims. Now, they rely on spam email messages with malicious attachments, which are disguised as an alert notification from the US Office of Personnel Management (OPM).
The PhishMe team was the one to notice this new strategy. In the emails, victims are notified about a “series of suspicious bank operations” by the OPM account manager. The full message reads:
“Dear [NAME], Carole from the bank notified us about the suspicious movements on out account. Examine the attached scanned record. If you need more information, feel free to contact me.”
The emails` attachments are ZIP files, which deliver malicious JavaScript files. These JS files, when run, download the Locky ransomware and start the encryption process on the targeted computer. At this point, a way of decrypting files locked by Locky has not been found.
Based on their telemetry data, PhishMe has managed to detect 323 different JavaScript application attachments, which download the vicious Locky payloads from 78 different URLs.
OPM has experienced two data breaches, in 2014and then in 2015, when crooks managed to steal more the 22 million user records. This Locky spam wave is mostly aimed at American-based users and most specifically – to those employees, whose details the cybercriminal stole in the breaches.
Over the past years, researchers started noticing a change in the direction of ransomware attacks. Crooks became more interested in targeting the corporate and government sector instead of on individuals. It this way, they are able to infect not only a single user`s computer but an entire network at a time and ask for much higher ransom sums.
Luckily, there is some good news. The malicious emails contain some mistakes which may lead to the victims realizing it is a fake. First of all, the English used is far from perfect and a native English speaker will have no troubles picking up the mistakes.
Second, in cases of suspicious transactions, banks don’t inform OPM but they get in touch directly with the account owners. These two signs, as well as the unusual JS file attachment, should be enough to raise a red flag.
“These emails reinforce the fact that overcoming the phishing threat and the ransomware it delivers is not some insurmountable task.” – PhishMe’s Brendan Griffin says – “Instead, user education and the bolstering of incident response practices can give organizations the edge over threat actors.”
