Australia is a land that is blessed by natural beauty and plentiful resources. Its isolation in the Indian and Pacific Oceans has helped protect it from many global afflictions that have hit other lands closer to world population centers. While Australia’s geography has long shielded it from storms, what worked in the past does not always work in the present.
This is particularly true of digital threats. Since the middle of 2014, Symantec has observed a major global surge in the occurrence of many different cryptomalware families such as Cryptolocker, Cryptodefense, and Cryptowall. Our telemetry has shown that as a global problem, cryptomalware has increased roughly 14 fold since May of this year. In Australia, we observed a similar increase of over 1,300 percent in the same period, indicating that Australians are not escaping this global surge.
Cryptomalware is a particularly insidious form of threat that encrypts data files on the compromised computer and then attempts to extort money from the victim in order to have the files restored. Since many of us use personal computers to create and store documents for study or work, as well as media files of precious memories, the loss of these files can be particularly painful. This is what makes this form of extortion so effective for the criminal perpetrators.
What’s happening down under?
Recent examples of cryptomalware affecting Australian users tend to be from the Trojan.Cryptolocker.F family. This particular threat propagates through email-based social engineering tricks. These tricks are tailored to the geographic region in which the attacks are being performed, but they all follow a similar modus operandi. In Australia, users are sent emails that typically look like they came from local companies such as an Australian energy supplier (view a bill) or an Australian postal delivery company (details of parcel delivery).
Regardless of the theme used, the trickery works in the same way:
- An unsuspecting user receives an email informing them of an offer, bill, or parcel delivery.
Figure 1. Australian themed social engineering email informing the recipient of pending parcel delivery. Note the poor English.
- The email requests that the user follow a link to view the message details, or in this case to print out a label.
- Once the link is clicked, the user is presented with a genuine looking, but actually fake Web page that matches the scam’s theme. The page contains a CAPTCHA code which the user is asked to enter before they can view the message. The CAPTCHA is used by the attackers to ensure that a person is actually viewing the fake Web page. This is most likely to prevent security vendors from automatically downloading the attackers’ malware files.
Figure 2. Fake Australian themed website used in conjunction with fake parcel delivery email. Note the CAPTCHA code entry form near the bottom of the page.
- Once the user enters the code, they are offered a zip file to download and open. The zip file is supposed to contain a document, but actually holds an .exe file.
Figure 3. Offered file download is a zip file, which should arouse suspicion.
- If the file is downloaded and opened, the malware is executed and begins to search for data files before encrypting them using industry-grade encryption technology.
- Finally, when all files are encrypted, the user is presented with an ominous message informing them of their misfortune and what steps they need to follow in order to pay and have their precious files restored.
Figure 4. Ransom demand page shown after all data files have been encrypted. Users should refrain from making payments as paying does not guarantee the restoration of files.
What can users do?
Cryptomalware is an increasingly common menace that is spreading throughout the world. The techniques used, however, are not particularly sophisticated. Users should remain vigilant to the threat that cryptomalware poses and take precautions to avoid suffering the consequences of an infection. Here are some practical steps that users can take to help reduce the risks:
- Get familiar with the typical social engineering scams used by cybercriminals.
- Be highly suspicious of unsolicited or unexpected emails informing you of bills, offers, or deliveries.
- If directed to a website to fill in a form, check the page and its address to see if it looks legitimate.
- Do not download archive (.zip, .jar, .tar, .7z, .msi, etc.) or executable/script files (such as .com, .exe, .scr, .bat, .js, .jse, .vb, .vbe, .wsf, .wsh, .cmd). Companies should not need to use these files types when distributing a document.
- Install and keep security software up to date to ensure you are protected against the latest threat variants.
- Keep operating systems and other software up to date with security patches.
- Get into the habit of making regular backups (using a cloud service or an offline disk) of any valuable data.
Last but not least, if you do happen to be impacted by cryptomalware, it may be tempting to just pay up in order to get your files back. However, there is absolutely no guarantee that the files will actually be restored. Remember, these are criminals and they have absolutely nothing to gain by keeping their word. By paying the ransom, people are effectively making this crime even more attractive to attackers.