American PC users are being hit with a new wave of filecoder ransomware, which locks access to computers and demands $300 – with a ticking timer before files are locked forever.
The U.S. Computer Emergency Response Team (US-CERT) issued a warning of an “increasing number” of infections with Cryptolocker, detected by ESET as a variant on Win32/Filecoder.
“CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments,” the agency says.
The Trojan was detected in 2013 – and We Live Security reported a surge in infections this summer.
US-CERT says that users are being targeted via emails resembling UPS and FedEx tracking notices.
ESET Malware Researcher Robert Lipovsky says, “We’ve noted a significant increase in Filecoder activity over the past few summer months.”
Lipovsky’s report on We Live Security showed countries that were being targeted with the malware – delivered via drive-by downloads and email attachments, among other common infection methods. At the time, Russia, Spain and Italy were the site of most infections.
US-CERT’s warning shows that the threat remains active. “CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices,” the agency said. “ In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.
“To decrypt files, you need the private key,” the Trojan warns users, “The single copy of the private key is on a secret server. The server will destroy the key after the time specified in this window. After that, nobody will be able to restore the files.”
PC Authority reported that on 1 November, a variant of the Trojan allowed users to recover “past deadline” by paying an even bigger sum – 10 bitcoins, or $3,000.
The malware affects Windows users running Windows 7, Vista and XP, according to US-CERT. The agency also warns that some users report paying the ransom, and not being given access to their files.
“Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key,” says US-CERT. “While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key.”
The threat is not an empty one, Lipovsky says, “Unfortunately, in most cases, recovering the encrypted files without the encryption key is nearly impossible.”
With quick action, users can sometimes recover data – but the best defense is caution. A We Live Security guide to how to defend against ransomware is here. The most important advice is to back up data, according to Lipovsky.
“If they have backups, than the malware is merely a nuisance,” says ESET researcher Robert Lipovsky. “So, the importance of doing regular backups should be strongly reiterated.”
US-CERT suggests users immediately disconnect their systems from their wireless or wired network, and contact an IT professional, and advises against paying any ransom.
Author Rob Waugh, We Live Security