Locky ransomware campaign exploits fears of data stolen in OPM hack

Share this…

Emails tell victims they need to download an attachment to view “suspicious activity” – then infects them with ransomware.

In the immediate aftermath of a major data breach, cybercriminals will often look to take advantage of the situation by sending phishing emails warning people their credentials aren’t safe and that they must login through a malicious link to ensure they’re safe – when clicking through will just add to their problems.

However, it appears that some hackers and cyber thieves are more than happy to play a longer game, with one group seemingly using last year’s Office of Personnel Management [OPM] data breach as a platform for launching a new Locky ransomware campaign.

The hack at the federal agency saw the theft of personal details of 22 million people and researchers at PhishMe have spotted hackers playing on fears of victims that they’re still at risk of fraud and identity theft – and are using fear in an attemp to trick them into allowing ransomware to encrypt their files.

The targets of these hackers are sent an email which claims to be from the OPM warning of “suspicious movements” in their bank account, with a ZIP attachment purporting to contain information about their records.

However, the file in fact contains a hostile JavaScript application, which when run, will download and install Locky encryption ransomware, which demands the victim pay a Bitcoin ransom or lose all their files.

Email claiming from the OPM containing a ransomware payload.Image: PhishMe

“The Locky threat actors once again demonstrate their unscrupulous nature and willingness to exploit the misfortune of others at any step in their delivery and infection process,” says Brendan Griffin, threat intelligence manager at PhishMe.

Ransomware has surged this year, recently becoming one of the three most commonmalware threats and the total cost of damages related to these attacks is set to top $1 billion before the end of 2016, with Locky is the most prevalent family of ransomware.

Previously an attack method which was more focused on individual users and home networks, ransomware is now targeting more and more businesses; they’re bigger targets and the perpetrators are often able to demand higher ransoms to unencrypt the files.

One infamous example saw Locky ransomware take down the network of a high-profile Los Angeles hospital which paid a ransom of $17,000 to hackers in order to regain access to crucial systems.

But it isn’t just large organisations which are targeted by ransomware; small and medium sized businesses are attacked by it too and more so than ever before; figures from Kaspersky Lab, small businesses faced eight times more ransomware attacks during the third quarter of 2016 than they did during the same period last year.

According to the Kaspersky Security Network, 27,471 attempts to block access to corporate data were detected and repelled by Kaspersky software in Q3 2016, compared to 3,224 similar attacks in the same period of 2015.