OPM breach aftermath: Locky exploits data stolen from the victims

Locky virus has been admitted as one of the most active cyber infections in the first half of this year. Nevertheless, with its expanded distribution approaches, this virus is not expected to give up its leading position any time soon. In fact, it is currently estimated that around 97% of all the malicious email attachments carry the Locky virus itself or a modified version of it. Among these versions there are Thor, Shit virus, Perl ransomware and, possibly, a few other malicious Locky remakes that the experts haven’t come across yet.

Talking about the Locky’s distribution and infiltration methods, we would be wrong saying that there isn’t something new to learn every day. For instance, earlier in November, the virus analysts have disclosed that another major malvertising campaign ShadowGate now spreads two versions of Locky via the Bizarro Sundown exploit kit. It is a new and dangerous addition to the Angler and Rig kits that Locky developers have been initially using for the virus distribution. But perhaps the most essential discovery that can benefit the regular users was made by the PhishMe team.

The PhishMe researchers have discovered a new tactic that the hackers use to deceive users into downloading email attachments carrying Locky payload. The experts call it the OPM Bank Fraud or simply the OPM scam. OPM stands for the US Office of Personnel Management — an institution under which name the hackers deliver their potential victims a fraudulent notification that warns about a supposed financial offense. The users receive the following message:

Dear [NAME],
Carole from the bank notified us about the suspicious movements on out account. Examine the attached scanned record. If you need more information, feel free to contact me.

This email is accompanied by a ZIP file attachment which hides the infectious JavaScript file. It only takes the users to open this file, and Locky download begins immediately. It is interesting that the virus specifically targets victims of the infamous OPM breaches that took place in 2014 and 2015. In other words, Locky creators aim to exploit the fears of the former cyber crime victims in order to infect their computers. To cover their tracks, the hackers have already used over 323 unique attachment names, while the virus payload was downloaded from 78 distinct URLs. Such practices obfuscate the virus detection and prevention and, generally, bring ransomware distribution to a whole another level. Thus, company holders are strongly advised to inform their staff about online security precautions and choose a trustworthy data backup solution.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions

Read in other languages