The actors behind Locky ransomware have started using data from the OPM data breaches of 2014 and 2015 as part of a new campaign to spread cryptoransomware. It is unclear how much of the data has been obtained, although in total, 22 million user records were stolen in the OPM data breach.
Individuals whose email addresses were obtained in the OPM data breach are being sent a fake notification that appears to have come from OPM account manager Eli Lucas. The email message says “Carole from the bank notified us about the suspicious movements on out account.”
Victims of the OPM data breach have already been made aware that their data have been stolen, so they are likely to be aware of a risk of fraud. This may convince many to open the malicious file attachment. Since the email appears to have come from within the OPM, employees may think the email is genuine.
One of the most effective ways of preventing infections – along with using spam filters – is security awareness training. Simply receiving a malicious email will not result in a ransomware infection. End users must open the emails and attachments. By providing training, end users can become more skilled at identifying malicious emails that bypass spam filters.
If end users stopped and thought about the email, suspicions may be raised about the fact that the bank is contacting an OPM account manager about the problem, rather than the individual account holder.
While these flags may appear obvious to the majority of individuals that something is amiss, it only takes one employee to open and run the attachment for the ransomware to be installed. If training is not provided to all employees on email and web security, scams such as this could all too easily result in a ransomware infection that infects an entire network.