Filecoder epidemic goes global as Australians among “millions” of victims worldwide

Filecoder, an unpleasant and virulent strain of ransomware detected by ESET in large numbers of machines in Russia in September is now spreading globally, with experts estimating that the gang behind it must be earning “millions”.

Part of the reason for their success is the surge in the value of cryptocurrency Bitcoin, which broke the $1,000 barrier for the first time this week, according to Forbes’ report. Filecoder encrypts a user’s files, then demands a ransom in Bitcoin.

The malware – also known as Cryptolocker – is spreading fast, and widely. The U.S. government has issued an official warning that it appears to be targeting small businesses, and PC Advisor says it is now widespread in Australia. It’s often spread via email, and the gang customize these for new territories – for instance, in Britain, Companies House has warned businesses to be wary of phishing emails.

ESET malware researcher Robert Lipovsky reported a resurgence of the ransomware in late September, which encrypts users’ files with near-unbreakable AES encryption, with a 72-hour countdown after which files are “locked away” forever.

At the time, Lipovsky says, the malware largely affected users in Russia, with other victims in Spain and Italy. The malware spread via drive-by downloads from infected sites, and via email, Lipovsky says.

Since then, government warnings from the U.S. Computer Emergency Response Team, and the UK’s Britain’s National Cyber Crime Unit, which warned that tens of millions of computer users are at risk due to a “mass spamming event.”

The malware, identified by ESET as Win32/Filecoder BT, is transmitted via emails that appear to come from banks and financial institutions, the National Cyber Crime Unit warns.

“The emails may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular. This spamming event is assessed as a significant risk,” the NCU warned, as reported by We Live Security here.

CNN Money has warned that the malware is a particular risk to small businesses, who may have a small number of machines – and thus more data on each, and few IT staff.

Security reporter Brian Krebs describes the malware outbreak as a “diabolical twist on an old scam,” pointing out how quickly the malware has adapted as it has spread. To begin with, users could only pay in Bitcoin or Moneypak – both of which are complicated to use – so the unknown attackers created a method to pay without using these.

PC Authority said that on 1 November, a variant of the Trojan allowed users to recover “past deadline” by paying an even bigger sum – 10 bitcoins, or $3,000

New versions of the malware have also dropped the ransom price in response to Bitcoin’s surging value – and one, according to Krebs, even offfers users a second chance, “Newer versions change the desktop background to include a URL where the user can download the infection again and pay the ransom.”

Victims, government agencies and security experts agree on one thing – it’s unwise to pay up. In many cases, your files will remain locked anyway.

A We Live Security guide to how to defend yourself against Filecoder and other ransomware is here.

ESET researcher Robert Lipovsky says that the best defence is simply not to keep important data on one machine, and to back up regularly. If infected, switch off and disconnect immediately, and contact an IT professional. Lipovsky warns, “In most cases, recovering the encrypted files without the encryption key is nearly impossible.”.

“There are, however, at least two “fortunate points” about this malware: It’s visible, not hidden, the user knows he’s infected – unlike many other malware types that could be stealing money/data silently (of course, that doesn’t mean that he’s not infected with something else together with the filecoder!)”


Author , We Live Security

  • Jammer

    Is it just me or should the ISP’s be more responsible as far as testing the authenticity of the sending IP address and the fact it would have to be a manipulated HTML email body containing the script to start the HTTP transfer. I wrote a script a while ago which utilized the BITSADMIN service from Windows to download files and execute them remotely. The user didn’t see anything and this was not used for malicious intentions, merely data transfer and install purposes (Mozilla Firefox).
    The problem i find is that people expect mail to be delivered in real-time these days with out expecting a delay for ISP/Email providers to unpack/scan the files in question if delivered through attachments. I would rather wait 5 minutes for a file to be delivered instead of 2 seconds and get infected by means of mail vectoring.

Follow us

Copyright © 2017 ESET, All Rights Reserved.