Skip to main content

Cybercriminals are impersonating parents for ransomware attacks on teachers

(Image credit: Future)

The transition to distance learning has been hard enough for teachers around the world but now researchers at Proofpoint have observed a new targeted campaign that attempts to infect their computers with ransomware.

The campaign uses messages where the attacker poses as a parent or guardian submitting an online assignment on behalf of a student claiming that the student encountered technical issues when trying to submit the assignment themselves. However, instead of attaching an assignment to their emails, the attacker has attached a malicious document that downloads a custom ransomware payload.

At the beginning of October, researchers at Proofpoint discovered a new targeted email campaign that uses subjects such as “Son's Assignment Upload”, “Assignment Upload Failure for [Name]” or “[Name]'s Assignment Upload Failed”. The emails themselves contain a malicious document stored in a zip file and the campaign attempts to lure in victims with a plea from a parent asking a teacher to accept an assignment submission over email.

According to Proofpoint, the targets of the campaign were individuals teachers and the attacker responsible likely pulled their email addresses from public pages of a school website.

Targeting teachers

The malicious document contained in the campaign's emails appears to have been custom created by the attacker. It uses external relationships (Remote Template injection) to download another malicious document that can then download the malware executables if a user has macros enabled.

The malware executables are hosted on the free code hosting service notabug[.]org and the macro also uses a free web bug service called Canarytokens which notifies the attacker whether the downloaded executable was started successfully or not.

While Proofpoint didn't perform a deep analysis of the malware, it appears to be a custom and relatively simplistic ransomware written in the programming language Go that goes by the name “cryptme”. The firm's researchers provided further insight on this new ransomware campaign in a blog post, saying:

“Students and school systems have faced unique problems in 2020, and these messages take advantage of widespread technological difficulties accompanying online learning. The messages are well crafted with a clear understanding of what would appeal to recipients, though as of this writing, Proofpoint researchers have not observed any payments posted to the ransom note Bitcoin address. While this campaign was very small, it’s possible that this and other actors will continue using themes of technology issues and online learning to lend legitimacy and urgency to their lures.”

To avoid falling victim to this new ransomware campaign, teachers should be extra vigilant when checking their email and avoid opening messages from unknown senders.