The operators of the Locky ransomware have been spotted using a cleverly designed spam lure to trick their victims into downloading their payload and running it on their computers.
The technique, spotted by the team at PhishMe, is a fictitious notification for a series of suspicious bank operations detected by a self-proclaimed US Office of Personnel Management (OPM) account manager. The full message is:
In 2014 and then in 2015, the OPM suffered data breaches that allowed hackers to steal over 22 million user records. The spam flood is obviously targeted at US users, and most specifically at government employees who had their details stolen in the OPM breach.
In the past year, ransomware authors have redirected their focus from infecting home users to targeting the corporate and government sector, where they can infect entire networks, not just one computer at a time, and ask for higher ransom fees.
Targeting the massive OPM userbase and playing on their fears of someone abusing their leaked data to initiate fraudulent transactions is a smart strategy on the part of the Locky crew.
The good news is that the email lure contains some errors that English-speaking users can easily pick up.
First of all, the English included in the email is far from perfect. Second, users can detect that something phishy is going on because banks don't notify the OPM about fraudulent transactions, but the account holders themselves.
"These emails reinforce the fact that overcoming the phishing threat and the ransomware it delivers is not some insurmountable task," PhishMe's Brendan Griffin explains. "Instead, user education and the bolstering of incident response practices can give organizations the edge over threat actors."