CryptoLocker ransomware has been spotted in phishing-based attacks targeting users in Italy, France, Germany, Norway, the U.S., and various additional Western and Eastern European countries.
CryptoLocker ransomware has been spotted in phishing-based attacks targeting users in Italy, France, Germany, Norway, the U.S., and various additional Western and Eastern European countries.

Researchers have spotted a sudden resurgence of the Windows-based ransomware CryptoLocker early this year, specifically identifying clusters of attacks targeting Italy, Dutch-speaking victims, and even the U.S.

In a blog post on Wednesday, Lawrence Abrams, founder and owner of BleepingComputer, stated that the malware, also known as Torrentlocker and Teerac, began making a comeback toward the end of January 2017, after experiencing an extended quiet period during the second half of 2016.

Citing the ID-Ransomware website operated by MalwareHuntersTeam, Abrams noted that reported CryptoLocker instances jumped from a just handful per day to nearly 100 per day to more than 400 per day by February.

Abrams confirmed CryptoLocker's recent uptick in activity with Microsoft's Malware Protection Center, whose telemetry picked up on increased attacks against Europe, especially Italy. An Italian ransomware referenced in the article noted that this campaign has been using Certified Electronic Email, a special type of email that holds the same legal value as a registered letter, to deliver spam in the guise of invoices. The emails appear secure and official because they are digitally signed, but it is all just a ruse to lower the recipient's guard and get them to open attached .JS files that download and install CryptoLocker.

“This is just another example showing how ransomware developers are adopting new techniques when distributing their malware,” Abrams wrote in his blog post. “It also tell us that end users and companies must remain vigilant and practice safe computing habits when it comes to opening email attachments.”

“While threat intelligence systems continue to decrease the time it takes to detect and block threats, we expect to see continued increases in ransomware attacks such as the variants described in the report,” said David Weston, principal security group manager within Microsoft's Research & Development department, in a statement provided to SC Media. “Our research into prevalent and emerging ransomware families reveals that delivery campaigns can typically stretch for days or even weeks, all the while employing similar techniques that our systems automatically learn. As long as enterprises can quickly investigate the first cases of infection or ‘patient zero', they can often effectively stop ransomware epidemics.”

Check Point Software Technologies confirmed with SC Media via email that its researchers have also observed a sudden rise in CryptoLocker attacks. In just the last few days, the company discovered a phishing email campaign that distributes Cryptolocker via the JavaScript-based downloader malware Nemucod and specifically targets Dutch speaking victims, even though infections were actually observed in Germany and Eastern European countries.

The phishing emails attempt to trick recipients into opening a zipped HTML file. "The HTML contains JS file, which pulls a second JS file from an Amazon server, which executes the first one on memory," said Lotem Finklesteen, threat intelligence researcher at Check Point. "Then, after pulling two more JS files, CryptoLocker is served to the victim machine and being executed."

Check Point also found infections in Norway and France on the surface that sound similar to BleepingComputer's report, in that victims are infected via phishing emails with zipped JS files attached as downloaders. "The vast majority of the infections we observed this week were in the U.S. The second major target was Western Europe, especially Germany," said Finklesteen.