Phishing Campaign with Fake Extortion Demand

The Corvus Team has observed a novel phishing campaign tricking employees into downloading malware. Here’s what you need to know.


A prominent ransomware group is sending mass emails to organizations falsely claiming to have stolen data from their environments. The extortion email contains information to trick organizations into believing they have been hacked. The group attempts to trick companies that respond to the email into clicking on a link and downloading malware to their computers. This facilitates future attacks including ransomware infections.

We encourage all of our policyholders to remain vigilant and cautious when receiving any unsolicited emails or messages. Organizations should be mindful of this new phishing tactic and ensure they do not engage directly with any threat actor claiming to have stolen data from the environment.

Next Steps

We encourage your organization to take the following steps to mitigate the risk of these threats:

  1. Remind employees to forward any suspicious emails to IT/Security and train them not to open links or email attachments from unknown sources.
  2. Validate that your email security solution is filtering suspicious emails.
  3. Enable two-factor authentication on your accounts and applications where possible.
  4. Ensure you are running endpoint security software on all devices in your organization to help with early threat detection.
  5. If you are a Corvus policyholder and suspect that your organization has been targeted with this technique, immediately report it to Corvus via the claims email or hotline on your policy.  Do not engage with the threat actor directly. We will bring in experts to advise you on the appropriate next steps.