Cryptolocker Ransomware – 10M UK Users targeted.Basic countermeasures

Cryptolocker is considered one of most insidious threat for Internet users, a recent spam campaign targeted 10M UK Users, let’s learn how fight it

Recently the UK’s National Crime Agency has issued an alert on a large spam campaign based on CryptoLocker ransomware that is targeting more than 10 million UK based email users. CryptoLocker malware is considered very insidious by users, it encrypts victim’s files and then demands a ransom money to restore access. CryptoLocker was first detected in the wild in September 2013, what makes CryptoLocker so insidious is the way it encrypts the victim’s data using a strong encryption method making impossible to access it without paying the ransom amount. If the victim doesn’t pay the ransom amount in 72 hours, CryptoLocker will delete the decryption key to decrypt all the files on your PC.

The UK’s National Crime Agency revealed that spam emails targeted mainly accounts belonging to banks and financial institutions, usually the message include a malicious attachments that appears like files such as an invoice, details of a suspicious transaction, a voicemail or a fax. Bitdefender Labs security firm observed that in the week beginning Oct. 27, more than 12,000 computers were infected.

The UK’s National Crime Agency announced that it is investigating on the origin of the spam campaign:

“We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public.” Lee Miles, Deputy Head of the NCCU says.

Once victims try to open the file the Cryptolocker malware infects the machine and will then display a countdown timer that demands the payment of 2 Bitcoins in ransom, worth around £536, for the decryption key.

Victims are advised not to pay the ransom, event after the payment there is not assurance that files will be again available to the user.

Anyone whose computer is infected should report it to www.actionfraud.police.uk.

During these days I received many requests from readers to have indication on how to protect their machines from CryptoLocker ransomware.

The bad news is that there is no possibility to decrypt the files without the decryption key, brute force attacks are useless against 2048 bit encryption.

The prevention is essential, following some precious suggestions:

Avoid opening emails and attachments from unknown sources, especially zip or rar archive files.
Keep up-to-date defense systems, OS and applications.
Backup your data.
Windows 7 users should set up the System Restore points or, if you are using Windows 8, configure it to keep the file history.
If infected, make sure you have reformatted your hard drive to completely remove the CryptoLocker trojan before you attempt to re-install Windows and/or restore your files from a backup.

On the Internet it is possible to retrieve numerous tools to protect our system from CryptoLocker, HitmanPro.Alert is one of the best free utility that can defend us from CryptoLocker ransomware. The application in fact contains a new feature, called CryptoGuard, able to detect and neutralize malicious activities.

Other valid tools are BitDefender Anti-CryptoBlocker, an application that can detect and block CryptoLocker ransomware encryption of the user’s data and CryptoPrevent applies a number of settings to the Windows machine to prevent CryptoLocker from ever executing.

IPSs (Intrusion prevention systems) are also able to block Cryptolocker interfering with communication to remote command-and-control server used by the malware to retrieve the key to encrypt the files.

Let me close with a curious new that demonstrate that nose is secure … a local police department in Swansea, Massachusetts, has paid criminals to decrypt files locked up by the CryptoLocker ransomware on police computer systems, according to local press reports. The department paid $750 for the decryption key to retrieve its files, using Bitcoins as currency.

Pierluigi Paganini

(Security Affairs – Cryptolocker, Cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.