CryptFile2 ransomware variant targeting state and local governments

The ransomware is delivered through malicious URLs, instead of being embedded in an attachment.

A ransomware variant discovered earlier this year is now targeting state and local governments, according to a California-based security firm.

Sunnyvale, California-based ProofPoint detected the CryptFile2 variant in an email campaign last week. The email campaign differs from the way attackers distributed the ransomware earlier this year: This most recent campaign contained emails with malicious URLs instead of attachments laced with malicious payloads.

Proofpoint also observed the emails with subject lines promising discounted flights from American Airlines.  

Once recipients click on a bad URL, they are led to a site that instructs them to download Microsoft Word documents. If opened, these documents employ a social engineering lure to entice the user to enable malicious macros. The macros, in turn, download the final ransomware payload.


Proofpoint detected the original variant in March, which had been delivered by Nuclear and Neutrino exploit kits. The move from attachments to URLs is likely to bypass spam and antivirus guards.

Researchers found the majority of emails sent last month — which range in the hundreds of thousands — targeted state and local governments, as well as K-12 education and health care organizations.

Last month, a senior official at the Multi-State Information Sharing and Analysis Center told attendees at the National Association of Counties’ annual conference that ransomware was the top concern for local governments.

Gina Chapman, the senior director of operations for MS-ISAC, said the center observed as many as 450 ransomware infections per month between October 2015 and May 2016.

Proofpoint urges public sector organizations to configure their defenses to make up for the fact that ransomware variants are rapidly changing and being re-deployed into the wild.


“In particular, the targeting in this campaign made possible through email distribution, brings increased risks to public sector organizations that may be less equipped to detect and mitigate these kinds of threat,” the report says. “Organizations that do not update defenses to detect and stop this latest generation of ransomware threats may find themselves in the difficult position of having to pay the ransom, which carries its own set of risks.”

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts