New Ransomware Campaign Targets Teachers Working Remotely

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

The COVID-19 has pushed teachers to work from home, deliver online classes to their students, and expect the submission of the assignments via the online platform. Malicious actors are here again to exploit the situation and set up traps for the teachers, with the ultimate goal being to plant ransomware on the school’s network and demand the payment of a small ransom.

The ongoing campaign was noticed by Proofpoint researchers, who are warning about it while we’re still at an early phase.

Source: Proofpoint

The actors are sending emails using subjects like “Son’s Assignment Upload” or “Assignment Upload Failure for [Name of Student],” posing as the parent of a student who supposedly couldn’t upload the assignment on the school’s remote teaching platform.

Related: Trump-Themed Phishing Campaign Demonstrates Hacker Reflexes

The idea is to trick the teacher into accepting the submission over email, while the addresses are likely sourced from public records. The attachments are either a ZIP or a DOC file, and they are laced with macros that fetch malware from ‘notabug.org.’

Source: Proofpoint

If the victim “enables content” on their MS Office Suite, and once the code hosting service successfully fetches the executables, the attacker receives a notification SMS so that he/she may take over the extortion process.

The malware is a simple piece of ransomware written in Go, and which appends the “.encrypted” filename extension on the locked files. The victim also gets a warning dialog where the actors identify themselves as “employer21.”

Source: Proofpoint

The message to the victim demands the payment of $80 in Bitcoin, which isn’t a significant amount, so it’s set to match the victim’s level. Teachers would be more likely to pay a small amount in order to get their files back. However, and as Proofpoint clarifies, the wallet address they found in the sampled .txt files (ransom notes) appears to be empty for now.

Still, this serves as another example of how even low-level actors can engage in narrow-targeted ransomware campaigns that aim for a small and quick buck. Teachers who work from home should keep this example in mind, and be very careful when they receive documents that ask them to “enable content.” In almost all of the cases, this is an attempt to infect them with malware.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: