Sometimes, the best cure is prevention - and multiple backups - given the nasty side effects of malware that encrypts your computer files and demands a hefty ransom.
That’s what both the original CryptoLocker malware does and the new strain known both as TorrentLocker and CryptoLocker, even though the new CryptoLocker is different to the original.
Internet security company Trend Micro and its threat researchers in Australia decided to team up with Deakin University to fight the Australian-specific variants of CryptoLocker that have been spreading across the country at a rapid rate since September 2014.
While there’s no free decryption solution, or at least not as yet, we’re told that this new version of CryptoLocker targeting Australians ’encrypts victims’ files and demands $598 in exchange for access back to the files’ - and cruelly sees ‘the ransom demand doubling after 96 hours.’
Trend Micro and Deakin Uni have just released a new 16-page report on CryptoLocker, available to freely download here (direct PDF link), where both sets of researchers ‘monitored and analysed trends related to the CryptoLocker outbreaks occurring in Australia between 1 November and 30 November 2014.’
Throughout November, we’re told that ‘the study found more than 10,000 hits to redirection URLs, all considered CryptoLocker incidents.’
Unsurprisingly, the Australian strains of CryptoLocker work in much the same way as those seen in North America and Europe:
- First, the victims receive a spam email with hyperlinks, indicating parcel tracking information or a penalty notice waiting for them at an ‘official website’
- After clicking the hyperlink, the victims are redirected to a web page that is convincingly realistic, mimicking the official web pages of organisations such as the Australia Post and the Office of State Revenue New South Wales, including the domain name
- The web page then delivers the malware payload to the victims’ computers through abused legitimate file-hosting sites
- The malware proceeds to encrypt PDF and Microsoft Word documents, and other commonly used files
- Once the victims’ files are encrypted, the malware requires Bitcoin payment of at least $598 so the said victims can recover their files.
There is some good news beyond monitoring and analysis - Trend and Deakin say they are ‘working to stop the attacks’.
Trend explains that, ’on the days when outbreaks occur, Trend Micro has supplemented its internal processes with real-time alerts sent to Deakin University researchers who do further analysis of the outbreaks while the malicious sites are still active.’
Dr Jon Oliver, a senior threat researcher at Trend Micro Australia said: “CryptoLocker is a threat that is increasingly affecting individuals and Australian businesses. We teamed up with Deakin University because it required urgent attention.
“This strain of CryptoLocker tailored for Australian victims started in the second half of 2014, and continued up to Christmas Eve. The outbreaks have stopped for the New Year break, but will almost certainly continue in the New Year.”
Professor Yang Xiang, the leader of Deakin University’s research team said: “These attacks are technically sophisticated and specifically aimed at Australians and have been significantly increasing since July with an enormous impact on businesses and individuals.”
Naturally, the Australian CryptoLocker strain is smart, with the researchers noting this malware ‘employs a variety of techniques to avoid detection.”
Dr Oliver said that: “The CryptoLocker attacks are adapting to security solutions, evading security measures in the next outbreak. Relying on a single aspect of detection can miss the next outbreak.
“Multi-layer filtering, which is also described as Defence-in-Depth, is a more robust approach.” Mark Sinclair, commercial sales director at Trend Micro Australia and NZ said: “Many Australian businesses are being targeted and affected by CryptoLocker, from very large organisations to the very small; no one seems to be exempt.
“The whole industry is suffering so our work with Deakin University is vital to get on the front foot and stop the Australian strain of CryptoLocker in its tracks.”
While full details are in the report, we’re told that, ‘after receiving a spam email and clicking the URL included within, victims are redirected to a phishing web page where they submit CAPTCHA responses and are delivered a .ZIP file.’
‘Running or opening that .ZIP file leads to all images, documents, and personal data on the computer and shared drives being encrypted. The malicious software then demands that the victims pay to retrieve their files.’ So, with the best protection being incredibly vigilant about the emails you receive, even if they look official, alongside running up-to-date Internet security software that is aware of this threat, it’s also a very wise idea to have more than one complete backup of all your files in both onsite and offsite locations.
After all, this threat, once activated, has encrypted your files, with no easy and free decryption solution yet at the ready.
Stay safe - and be careful what you click!