OPM Data Breach Victims targetted by Locky Ransomware Campaign

The culprits responsible for Locky ransomware have begun using data obtained in the OPM data breaches of 2014 and 2015 in a new campaign designed to spread cryptoransomware. It remains unknown exactly how much data was obtained, however in total, around 22 million user records were stolen in the OPM breach.

The spam emails, sent out en mass, include a malicious JavaScript file which downloads Locky onto the computers of unsuspecting recipients. When installed, the ransomware encrypts files on the infected device and network drives. Currently there is no known method to decrypt files which have been locked by the ransomware. The only options are to recover files from from backups or a ransom must be paid to the wrongdoers in order to obtain the relevant decryption keys.

Those whose email addresses were stolen in the OPM data breach are sent a forged notification that claims to have come from Eli Lucas, the OPM account manager. This email indicates that “the bank” has notified OPM of suspicious action on their account.

The recipient is then requested to verify the scanned image that is attached to the email. The bank record is contained in a zip file. If the contents of the said file are unpacked and the malicious JavaScript file is run, Locky ransomware will be downloaded to the recipient’s computer.

Victims of the OPM data breach have been informed that their data was stolen, therefore they are probably aware of a risk of a considerable risk of fraud. Unfortunately, as the email appears to be from within OPM, this may influence many employees to open the malicious file attachment as they might assume that the email is genuine.

The most recent Locky campaign was discovered by the anti-phishing training company Phishme. Thus far Phishme has confirmed 323 unique JavaScript attachments that are currently being used to transmit Locky. The payloads are being downloaded from 78 URLS, which PhishMe thinks are, for the most part, hacked websites. The relevant sites are hosted in countries all over the globe. Obviously, this creates a real difficulty for police who investigate the problem. In the event that one site be taken down, many others which can be used to spread the ransomware remain active.

Together with the use of spam filters, one of the most successful methods of avoiding infections is to provide employees with security awareness training. Receipt of a malicious email does not have to result in ransomware infection. Recipient users must open the emails and attachments to allow the ransomware to download to their devices. By offering them training, the end users should become more skilled at recognizing malicious emails that have bypassed spam filters and therefore know not to open attachments.

The most recent campaign includes many of the warning signs that end users can easily be trained to recognize. For instance, the email contains one spelling mistake and some grammatical errors. The attachment is sent via a zip file and the user is asked to run a JavaScript file.

If end users took the time to stop and think about the email, they may become suspicious as to why the bank would be contacting an OPM account manager concerning the problem, as opposed to the individual account holder.

Although these flags may appear evident to most individuals that something is amiss, it must be remembered that it only takes one employee to mistakenly open and run the attachment for the ransomware to be installed. Should training not be provided to all employees via email and web security, scams of this nature could easily result in a ransomware infection that effects an entire network.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Emma Taylor

Emma Taylor is the contributing editor of Defensorum. Emma started on Defensorum as a news writer in 2017 and was promoted to editor in 2022. Emma has written and edited several hundred articles related to IT security and has developed a deep understanding of the sector. You can follow Emma on https://twitter.com/defensorum and contact Emma at emmataylor@defensorum.com.