The operators of the Locky ransomware have been spotted using a cleverly designed spam lure to trick their victims into downloading their payload and running it on their computers.

The technique, spotted by the team at PhishMe, is a fictitious notification for a series of suspicious bank operations detected by a self-proclaimed US Office of Personnel Management (OPM) account manager. The full message is:

Dear [NAME], Carole from the bank notified us about the suspicious movements on out account. Examine the attached scanned record. If you need more information, feel free to contact me.
Locky spam email sample
Locky spam email sample (Source: PhishMe)

The spam email contains an attachment, a ZIP file that delivers a weaponized JavaScript file. Running the JavaScript file will start a process that downloads and starts the Locky ransomware encryption process. At the time of writing, there is no known method of unlocking files encrypted by the Locky ransomware.

Leveraging their own telemetry data, PhishMe says they've detected 323 unique JavaScript application attachments that downloaded Locky payloads from 78 distinct URLs, most of them hacked sites.

OPM victims in the crosshairs

In 2014 and then in 2015, the OPM suffered data breaches that allowed hackers to steal over 22 million user records. The spam flood is obviously targeted at US users, and most specifically at government employees who had their details stolen in the OPM breach.

In the past year, ransomware authors have redirected their focus from infecting home users to targeting the corporate and government sector, where they can infect entire networks, not just one computer at a time, and ask for higher ransom fees.

Targeting the massive OPM userbase and playing on their fears of someone abusing their leaked data to initiate fraudulent transactions is a smart strategy on the part of the Locky crew.

Employee phishing training is the best method of fighting spam

The good news is that the email lure contains some errors that English-speaking users can easily pick up.

First of all, the English included in the email is far from perfect. Second, users can detect that something phishy is going on because banks don't notify the OPM about fraudulent transactions, but the account holders themselves.

These two signs, along with the presence of a non-standard JavaScript file packed inside a ZIP archive should trigger alarm bells for most users.

"These emails reinforce the fact that overcoming the phishing threat and the ransomware it delivers is not some insurmountable task," PhishMe's Brendan Griffin explains. "Instead, user education and the bolstering of incident response practices can give organizations the edge over threat actors."

Below is a portion of an infographic, courtesy of Digital Guardian, that includes basic advice for recognizing email phishing attacks. Full infographic available on Digital Guardian's site.

Phishing infographic