A phishing campaign pushing Locky ransomware is targeting some of the 22 million victims of the massive United States Office of Personnel Management breaches of 2014 and 2015.
According to researchers at PhishMe Intelligence, the campaign involves attackers impersonating OPM representatives who are targeting government contractors and workers that have had personal information stolen from them.
Attackers are using phishing messages that warn targets that the OPM has detected “suspicious movements” in their bank accounts. The email goes onto ask recipients to “examine the attached scanned record.” At the bottom of the phishing attack messages is the email signature of Elis Lucas, account manager with the U.S. Office of Personnel Management.
The attachment is a zip archive that when launched runs a JavaScript application that downloads and runs a sample of the Locky encryption ransomware. The attackers, researchers wrote, are demonstrating their “unscrupulous nature and willingness to exploit the misfortune of others at any step in their delivery and infection process.”
PhishMe found 323 unique JavaScript application attachments used in the campaign with the capability of downloading obfuscated Locky payloads from 78 command-and-control payload locations.
Of note, PhishMe said, the sample it found contained four hardcoded command-and-control hosts, as well as a single payment site where victims could pay their ransom in Bitcoin in exchange for an encryption key.
Locky has been potent since its initial detection on Feb. 16 – with attempts to infect computers in more than 100 countries. The preferred Locky attack vector has been email messages that contain an attached Word document embedded with a malicious macro. Once the macro is engaged, a script is initiated and Locky is downloaded onto a victim’s PC. The ransomware was used to target hospitals starting with Hollywood Presbyterian Medical Center in Los Angeles, which paid a $17,000 ransom, and this summer was spread by the Necurs botnet.
According to a Check Point analysis of Locky, researchers have documented at least 10 different Locky downloader variants. In those cases, each variant has tried to avoid detection by hiding the Locky payload in different file types (.doc, .docm, .xls and also .js) that claim mostly to be invoice attachments.
According PhishMe, “These emails reinforce the fact that overcoming the phishing threat and the ransomware it delivers is not some insurmountable task. Instead, user education and the bolstering of incident response practices can give organizations the edge over threat actors.”