The actors behind Locky ransomware have started using data from the OPM data breaches of 2014 and 2015 as part of a new campaign to spread cryptoransomware. It is unclear how much of the data has been obtained, although in total, 22 million user records were stolen in the OPM data breach.
The mass spam emails contain a malicious JavaScript file which downloads Locky onto computers. Once installed the ransomware can encrypt files on the infected machine and network drives. At present there is no way of decrypting files locked by the ransomware. Files must either be recovered from backups or the ransom must be paid to obtain decryption keys.
Individuals whose email addresses were obtained in the OPM data breach are being sent a fake notification that appears to have come from OPM account manager Eli Lucas. The email message says “Carole from the bank notified us about the suspicious movements on out account.”
The recipient is asked to check the scanned image attached to the email. That record is included in a zip file. If the contents of the file are unpacked and the malicious JavaScript file is run, Locky will be downloaded.
Victims of the OPM data breach have already been made aware that their data have been stolen, so they are likely to be aware of a risk of fraud. This may convince many to open the malicious file attachment. Since the email appears to have come from within the OPM, employees may think the email is genuine.
The latest Locky campaign was detected by anti-phishing training company Phishme. So far the Phishme team has identified 323 unique JavaScript attachments that are being used to deliver Locky. The payloads are downloaded from 78 URLS, which PhishMe believes are mostly hacked websites. Those sites are hosted in countries all around the world. This creates a problem for law enforcement. Should one site be taken down, there are many others that can be used to spread the ransomware.
One of the most effective ways of preventing infections – along with using spam filters – is security awareness training. Simply receiving a malicious email will not result in a ransomware infection. End users must open the emails and attachments. By providing training, end users can become more skilled at identifying malicious emails that bypass spam filters.
The latest campaign includes many of the red flags that end users can be trained to spot. The email contains a spelling mistake and grammatical errors. The file attachment is sent in a zip file and the user is required to run a JavaScript file.
If end users stopped and thought about the email, suspicions may be raised about the fact that the bank is contacting an OPM account manager about the problem, rather than the individual account holder.
While these flags may appear obvious to the majority of individuals that something is amiss, it only takes one employee to open and run the attachment for the ransomware to be installed. If training is not provided to all employees on email and web security, scams such as this could all too easily result in a ransomware infection that infects an entire network.