OPM-themed ransomware targets U.S. government workers

The messages warned receivers that their respective banks had notified OPM of suspicious account activity that could be reviewed via a malicious attachment.

A ransomware campaign designed to target U.S. government workers and employees of federal contractors flooded thousands of email inboxes. Each email contained a malware laden attachment and was written to appear like it came from the Office of Personnel Management. The messages warned receivers that their respective banks had notified OPM of suspicious account activity that could be reviewed via a malicious attachment.

A group of security researchers from Leesburg, Va.-based firm PhishMe first spotted the Locky ransomware campaign Tuesday.

Locky is a common, Windows-based ransomware variant that was first discovered in Feb. 2016. The typical ransom price to receive a decryption key for Locky is roughly .5 bitcoin, which is around $360 as of this article’s publication. 

The researchers believe that the campaign was not designed to coincide with the U.S. election.


“The first messages in this set were captured by PhishMe’s collections at 06:39 Eastern and the last one was received at 12:53 Eastern time. The threat actors’ selection for this timeframe is significant since it encompasses both the earliest risers on the US east coast and the start of the business day for the US west coast as well,” said PhishMe Threat Intelligence Manager Brendan Griffin, “the criminals were likely trying to reach people as they got into the office for work or checked their email for the first time today.”

PhishMe collected more than 10,000 email copies associated with the OPM-themed scheme and estimates far more were distributed, nationally.

“Part of what’s interesting is that of all the governmental entities, the threat actors chose the Office of Personnel Management. This could be interpreted as evidence that the threat actors have some topical understanding of the people they are trying to reach—government employees or those affected by the OPM breach. However, the email message really missed the mark,” said Griffin.

In the real world, OPM is not responsible for notifying citizens of “suspicious movement” apparent in their bank accounts.

“Even if the threat actors were really clever and intended to make a phishing email that appealed to those who signed up for identity theft monitoring services after the loss of personal information, the firms providing those services aren’t going to send an email as the Office of Personnel Management,” said Griffin, “context for email matters and while the threat actors are able to craft a topically-relevant message, anomalies can be quite evident.”

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts