Last week, the United Kingdom’s National Crime Agency (NCA) warned that tens of millions of customers were being targeted by the Cryptolocker malware through a mass spam campaign.
According to the alert, millions of UK customers received malicious emails, but the primary targets seem to have been small and medium businesses.
A recent Symantec blog examined a threat named Trojan.Cryptolocker and how it is an aggressive evolution of the ransomware family of threats. Cryptolocker thrives by encrypting files on a victim’s computer and holding the decryption key for ransom. Interestingly, Symantec predicted this rise in ransomware in its most recent Internet Security Threat Report.
Figure 1. Example email from spam campaign leading to Cryptolocker
This recent spam campaign uses various lures to target its victims. For instance, we have seen emails claiming to be a voicemail message from an unknown number as well as an outstanding unpaid invoice.
Figure 2. Another example spam message leading to Cryptolocker
The malicious attachments themselves are downloaders, used to retrieve other threats, such as Trojan.Zbot, which ultimately lead to a Cryptolocker infection and ransom demand.
Figure 3. Payment request for decryption key
According to the NCA alert, they have observed samples of Cryptolocker requesting a payment of two Bitcoins (worth £653 as of November 18, 2013). Some of the samples Symantec analyzed requested only one Bitcoin.
Symantec customers using Email Security.cloud are protected from these spam messages using our built-in Skeptic™ technology. In addition, Symantec has the following security signatures in place to detect these samples:
System Infected: Trojan.Cryptolocker
Intrusion Prevention Signature
Symantec continues to protect against the latest developments in the Cryptolocker malware and we strongly encourage users to routinely back up their files as a way to mitigate any potential damage that may occur from a Cryptolocker infection. For guidance on file recovery using built-in tools, please visit the following support article: Recovering Ransomlocked Files Using Built-In Windows Tools.