It seems that some malefactors are sending out unsolicited packages to all manor of organizations with what looks like a USB “thumb drive” in them (reportedly some have the logo “LilyGO”) along with things like bogus gift cards, teddy bears and the like.  Of course good security practices dictate that one should never plug it in such a “present” – you never know what the USB device might contain. In this case these devices, when plugged into a computer system, cause the USB device to automatically inject a series of keystrokes in order to download and execute a malware payload – including ransomware.

Apparently this has been going on since at least August.