New Malware Attack Isn’t Cryptolocker, Still Dangerous

Malware written on circuit board

Cryptolocker unveiled itself in 2013 as one of the worst malware threats on the web. Victims saw their files encrypted only to be released after a ransom payment was made, and even then sometimes the files would remain inaccessible. A new spam email scheme, as reported on the Symantec blog, uses the Cryptolocker name, but actually infects users with another form of crypto malware.

While the malware used in this attack isn’t Cryptolocker, it performs similarly. Users’ files are encrypted and a ransom is demanded. The use of the Cryptolocker name is perhaps to convince users that there’s no way around the encryption. Cryptolocker uses notoriously difficult, or nearly impossible, to break encryption. While this threat’s encryption hasn’t been closely analyzed, it’s likely that it hasn’t been crafted as carefully.

The attack begins with an email arriving appearing to be from an energy company. Users are told that they have an outstanding debt on an electric bill. That should be the first clue for most users. In this sense, this particular threat is more believable than others. Many companies, including electric providers, often send an email to customers telling them their latest bill is ready.

The message contains a link supposedly allowing users to view their bill. It directs them to a website containing a CAPTCHA. The number you’re directed to enter never changes, however. From there, users arrive on a page with a link to download their bill. It downloads as a file disguised as a .PDF. Again, this is all fairly believable.

Opening that file, however, immediately causes files to be encrypted and a text file pops-up informing the victim that they’ve been hacked with Cryptolocker. They’re informed to send an email to a provided address to start the ransom process.

There’s an added feature to this attack also. The malware checks to see if the user is running email client Outlook or Thunderbird. If you are, your contact list is stolen and sent to the attacker, presumably to help spread the malware to more users.

As with any other crypto attack, the key is to avoid infection. Once your files are encrypted, it’s extremely difficult to unlock them. Avoid these threats by being extremely cautious about following links in emails and downloading attachments. Also, regularly back-up your important files in case they’re encrypted or corrupted.

For help recovering from a malware infection, call Geek Rescue at 918-369-4335.

June 4th, 2014