Cryptolocker: UK SMEs warned that vicious ransom Trojan is targeting them

Encryption malware pointed at UK

Large numbers of UK SMEs are being targeted by a major spam campaign pushing the vicious Cryptolocker ransom malware using plausible-looking targeted attachments, the National Crime Agency (NCA) has warned.

In an unusual alert, the NCA's Cyber Crime Unit (NCCU) said that "tens of millions of UK customers" were in the sights of the latest campaign, which was turning up in inboxes posing as invoices from banks and financial organisations.

After encrypting any data files it finds on local and network-shared drives, this particular campaign demands 2 Bitcoins (£550 at current rates) in ransom for the unlock key. The point is driven home by a countdown timer that demands money by a given date, usually 72 hours later

"The NCA are actively pursuing organised crime groups committing this type of crime. We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public," said NCCU deputy head, Lee Miles.

Police were trying to track down the source of the email database being used to target firms, he said, a statement that hints at the disturbing possibility that a compromised database is being used, possibly also to target named individuals. If correct, such targeting would greatly increase the campaign's effectiveness and make it much harder for ISP and business anti-spam systems to filter out malicious emails.

Firms or individuals caught by Cryptolcoker should not pay the ransom, which in any case would be unlikely to deliver the unlock key, Miles added. This seems like good advice; Russian firm Kaspersky Lab has warned that criminals using the malware appeared not to be supplying unlock keys to paying victims.

It's not clear when this campaign began or even if it's that new but when it comes to the extraordinary Cryptolocker, a devastatingly effective piece of global malware that dates back no further than August 2013, anything is possible.

Too often, police in many countries have appeared to be behind the threat, reacting to the damage after it has been inflicted. In the space of only a few short weeks, Cryptolocker has become without challenge the malware story of 2013.

Who is behind Cryptoocker is a matter of speculation but the culprits are believed to be an organised crime house with Russian and Ukrainian connections, possibly inspired by criminals that launched the wave of hugely-profitable fake antivirus scams a few years back. It also seems to connected to banking malware campaigns.

Given that Cryptolocker's encryption can't be cracked, there is plenty of advice on how to protect a business or individual PC against the effects of Cryptolocker, starting with the unpleasant fact that even up-to-date antivirus software won't be enough.

Basic protections include having recent secure and structured backups (not synchronised cloud backups, which could simply make things worse), and even resetting the PC's clock to delay the countdown timer. Another angle is using software restriction policies.

The most important advice is not to wait for official organisations such as US-CERT and the UK's NCA to warn of malware; the latest alert is worth paying attention to but is weeks later than it should have been.

UK security expert Graham Cluley has published an excellent summary of Cryptolocker and a link to Bleepingcomputer's must-read FAQ.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Crime AgencyPersonal TechsecuritySME

More about Kaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place