Ransomware Emails Use OPM Breach to Lure Victims

Hackers pressed "send" on an avalanche of ransomware-laden emails this week, hoping to snare victims of the Office of Personnel Management data breach, according to a cybersecurity firm.

The malicious emails, which purports to be from an “account manager” at OPM, notify recipients of “suspicious movements” on an account and direct them to open an attachment. That attachment contains malware that locks and encrypts users' computer unless they pay a ransom.

The firm PhishMe discovered “tens of thousands” of instances of the email delivered to its clients Tuesday morning. That likely means millions of the emails were delivered globally based on typical practice with this particular brand of ransomware called Locky, PhishMe Malware Analyst Brendan Griffin told Nextgov.  

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

There’s no evidence the emails knowingly targeted OPM breach victims, Griffin said.

“They may expect that with the vast number of people affected by the OPM incident, they’re likely to reach at least some of that group with these emails,” Griffin said.

Some non-OPM victims might also be duped by the email, he added.

As with many malware attacks, the email contains typos and poor grammar.

The 2015 OPM breach compromised sensitive background check information about roughly 21.5 million current and former federal employees and contractors and their families. The government is offering credit monitoring to victims.

PhishMe has not seen any additional instances of the OPM email since Tuesday, Griffin said.