OPM-themed ransomware targets U.S. government workers

A ransomware campaign designed to target U.S. government workers and federal contractors flooded thousands of email inboxes this week with messages written to appear like they came from the Office of Personnel Management​

A ransomware campaign designed to target U.S. government workers and federal contractors flooded thousands of email inboxes this week with messages written to appear like they came from the Office of Personnel Management

The emails, containing a malware-laden attachment, warned receivers that their respective banks had notified OPM of suspicious account activity that could be reviewed via a malicious attachment.

A group of security researchers from Leesburg, Va.-based firm PhishMe first spotted the Locky ransomware campaign Tuesday.

Locky is a common Windows-based ransomware variant that was first discovered in February. The typical ransom price to receive a decryption key for Locky is roughly .5 bitcoin, which is around $360 as of this article’s publication. 


The researchers believe that the campaign was not designed to coincide with the U.S. election.

“The first messages in this set were captured by PhishMe’s collections at 6:39 EST, and the last one was received at 12:53 EST. The threat actors’ selection for this timeframe is significant since it encompasses both the earliest risers on the U.S. East Coast and the start of the business day for the U.S. West Coast as well,” PhishMe Threat Intelligence Manager Brendan Griffin said. “The criminals were likely trying to reach people as they got into the office for work or checked their email for the first time today.”

PhishMe collected more than 10,000 email copies associated with the OPM-themed scheme and estimates far more were distributed nationally.

“Part of what’s interesting is that of all the governmental entities, the threat actors chose the Office of Personnel Management. This could be interpreted as evidence that the threat actors have some topical understanding of the people they are trying to reach — government employees or those affected by the OPM breach. However, the email message really missed the mark,” Griffin said.

In the real world, OPM is not responsible for notifying citizens of “suspicious movement” apparent in their bank accounts.


“Even if the threat actors were really clever and intended to make a phishing email that appealed to those who signed up for identity theft monitoring services after the loss of personal information, the firms providing those services aren’t going to send an email as the Office of Personnel Management,” Griffin said. “Context for email matters and while the threat actors are able to craft a topically-relevant message, anomalies can be quite evident.”

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts