The holiday season is the period of the year in which cybercrime appears more active because it is advantaged by a fervid online activity of the Internet users. This is the period of the year, for example, in which users receive a notification from couriers and invoices for their purchases resulting from their online shopping.
People are more likely to open a malicious email attachment that pretends to be a notification or memo about a specific shipment. Experts at TrendMicro have analyzed the diffusion of Crypto-Ransomware in the EMEA Region based on data collected via the Trend Micro Smart Protection Network.
“Cybercriminals are aware of this and have begun using parcel delivery as the social engineering lure for recent crypto-ransomware attacks in the EMEA (Europe-Middle East-Africa) region. This is a marked shift as previous attacks involved invoices and financial statements.” states the blog post published by TrendMicro.
According to the experts, some countries have become privileged targets crypto-ransomware based attacks for the last three months. Spain, UK, France, Turkey and Italy are the main countries affected by the crypto-ransomware.
I was analyzing the Top infected countries in the EMEA region in the Quarter when I noticed that the country most targeted by crypto-ransomware in October 2014 and November 2014 is the Italy. In particular in November 2014 the number of infections in my country reached the 31,19 percent of the total and for me is a worrying data!
The attack chain for Crypto-ransomware variants is always the same, victims receive an email that contains a link or an attachment. The attackers use social engineering techniques to trick victims into clicks the link or open the malicious attachment. The report published by TrendMicro cited the example of an email that appears to be sent by an Italian courier, an email that for me is very familiar because I saw it hundred of times this year.
The email invites the recipient to click on a link in the body of the message, the link redirects the victim to a site controlled by the attacker that is a spoofed version of a courier site.
Figure 2. CAPTCHA code is required to access the file
The landing page presents a CAPTCHA to the user and once the code has been entered, it triggers the download of a Zip archive file and the attack phase starts once victims open an archive downloaded from the website.
“But before the final payload—file encryption—is executed, the user still has to extract the malicious file. We detect this particular variant as TROJ_CRYPLOCK.WJP.” states the blog post.
Experts to never pay the ransom because there are no guarantees that the payment will allow decryption of the files.
The post also provides a few recommendations to protect computers and files from crypto-ransomware, including setting up email policies to prevent infection via malicious attachments or through the share of a malicious link. The deployment of anti-spam or email scanning solutions could improve the resilience of systems against Crypto-ransomware based attacks.
“Users can also reconfigure some settings to add another layer of protection. For example, they can configure their macro security level to high or disable them completely, as we are seeing macros being used in attacks. Users can also check that the User Access Control (UAC) settings are enabled to prevent malicious applications from allowing themselves to auto-run with administrator rights.” are other tips provided by Trend Micro.
(Security Affairs – Trend Micro, Crypto-ransomware)