New Ransomware Campaign Targets Teachers Working Remotely

  • Ransomware actors send fake assignments to teachers who work remotely, hoping to infect them with malware.
  • The actors are using laced documents that fetch the malware from a legitimate code-hosting platform.
  • The ransom is only $80, which indicates a low-level actor, yet it still serves as an example of what to watch out for.

The COVID-19 has pushed teachers to work from home, deliver online classes to their students, and expect the submission of the assignments via the online platform. Malicious actors are here again to exploit the situation and set up traps for the teachers, with the ultimate goal being to plant ransomware on the school’s network and demand the payment of a small ransom.

The ongoing campaign was noticed by Proofpoint researchers, who are warning about it while we’re still at an early phase.

Source: Proofpoint

The actors are sending emails using subjects like “Son’s Assignment Upload” or “Assignment Upload Failure for [Name of Student],” posing as the parent of a student who supposedly couldn’t upload the assignment on the school’s remote teaching platform.

Related: Trump-Themed Phishing Campaign Demonstrates Hacker Reflexes

The idea is to trick the teacher into accepting the submission over email, while the addresses are likely sourced from public records. The attachments are either a ZIP or a DOC file, and they are laced with macros that fetch malware from ‘’

Source: Proofpoint

If the victim “enables content” on their MS Office Suite, and once the code hosting service successfully fetches the executables, the attacker receives a notification SMS so that he/she may take over the extortion process.

The malware is a simple piece of ransomware written in Go, and which appends the “.encrypted” filename extension on the locked files. The victim also gets a warning dialog where the actors identify themselves as “employer21.”

Source: Proofpoint

The message to the victim demands the payment of $80 in Bitcoin, which isn’t a significant amount, so it’s set to match the victim’s level. Teachers would be more likely to pay a small amount in order to get their files back. However, and as Proofpoint clarifies, the wallet address they found in the sampled .txt files (ransom notes) appears to be empty for now.

Still, this serves as another example of how even low-level actors can engage in narrow-targeted ransomware campaigns that aim for a small and quick buck. Teachers who work from home should keep this example in mind, and be very careful when they receive documents that ask them to “enable content.” In almost all of the cases, this is an attempt to infect them with malware.



Will There Be a Money Heist Season 6 on Netflix?

As Money Heist came to an end on December 3, it left fans wondering what would happen next. Even though this was...

How to Watch Atlanta Hawks Games Online Without Cable

The Atlanta Hawks are one of the most exciting teams in the NBA, with a great core of talented young players and...

Android Users Now Have Access to Google Photos’ Locked Folder

The Google Photos 'Locked Folder' is rolling out to Android and older Pixel devices that didn't get it at launch.This feature lets...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari