Video Screencast Help
Security Response

Cryptolocker Alert: Millions in the UK Targeted in Mass Spam Campaign

Created: 18 Nov 2013 23:04:38 GMT • Updated: 23 Jan 2014 18:03:05 GMT • Translations available: 日本語
Satnam Narang's picture
+3 3 Votes
Login to vote

Last week, the United Kingdom’s National Crime Agency (NCA) warned that tens of millions of customers were being targeted by the Cryptolocker malware through a mass spam campaign.

According to the alert, millions of UK customers received malicious emails, but the primary targets seem to have been small and medium businesses.

A recent Symantec blog examined a threat named Trojan.Cryptolocker and how it is an aggressive evolution of the ransomware family of threats. Cryptolocker thrives by encrypting files on a victim’s computer and holding the decryption key for ransom. Interestingly, Symantec predicted this rise in ransomware in its most recent Internet Security Threat Report.
 

image1-b.png

Figure 1. Example email from spam campaign leading to Cryptolocker
 

This recent spam campaign uses various lures to target its victims. For instance, we have seen emails claiming to be a voicemail message from an unknown number as well as an outstanding unpaid invoice.
 

image2_9.png

Figure 2. Another example spam message leading to Cryptolocker
 

The malicious attachments themselves are downloaders, used to retrieve other threats, such as Trojan.Zbot, which ultimately lead to a Cryptolocker infection and ransom demand.
 

image3_9.png

Figure 3. Payment request for decryption key
 

According to the NCA alert, they have observed samples of Cryptolocker requesting a payment of two Bitcoins (worth £653 as of November 18, 2013). Some of the samples Symantec analyzed requested only one Bitcoin.

Symantec customers using Email Security.cloud are protected from these spam messages using our built-in Skeptic™ technology. In addition, Symantec has the following security signatures in place to detect these samples:

Detection name

Detection type

Downloader

Antivirus signature

Trojan.Zbot

Antivirus signature

Trojan.Cryptolocker

Antivirus signature

Trojan.Cryptolocker!g2

Heuristic detection

Trojan.Cryptolocker!g3

Heuristic detection

System Infected: Trojan.Cryptolocker

Intrusion Prevention Signature

Symantec continues to protect against the latest developments in the Cryptolocker malware and we strongly encourage users to routinely back up their files as a way to mitigate any potential damage that may occur from a Cryptolocker infection. For guidance on file recovery using built-in tools, please visit the following support article: Recovering Ransomlocked Files Using Built-In Windows Tools.