Threat Management, Malware, Ransomware

CryptoLocker bursts onto scene again, targeting Europe and U.S.


Researchers have spotted a sudden resurgence of the Windows-based ransomware CryptoLocker early this year, specifically identifying clusters of attacks targeting Italy, Dutch-speaking victims, and even the U.S.

In a blog post on Wednesday, Lawrence Abrams, founder and owner of BleepingComputer, stated that the malware, also known as Torrentlocker and Teerac, began making a comeback toward the end of January 2017, after experiencing an extended quiet period during the second half of 2016.

Citing the ID-Ransomware website operated by MalwareHuntersTeam, Abrams noted that reported CryptoLocker instances jumped from a just handful per day to nearly 100 per day to more than 400 per day by February.

Abrams confirmed CryptoLocker's recent uptick in activity with Microsoft's Malware Protection Center, whose telemetry picked up on increased attacks against Europe, especially Italy. An Italian ransomware referenced in the article noted that this campaign has been using Certified Electronic Email, a special type of email that holds the same legal value as a registered letter, to deliver spam in the guise of invoices. The emails appear secure and official because they are digitally signed, but it is all just a ruse to lower the recipient's guard and get them to open attached .JS files that download and install CryptoLocker.

“This is just another example showing how ransomware developers are adopting new techniques when distributing their malware,” Abrams wrote in his blog post. “It also tell us that end users and companies must remain vigilant and practice safe computing habits when it comes to opening email attachments.”

“While threat intelligence systems continue to decrease the time it takes to detect and block threats, we expect to see continued increases in ransomware attacks such as the variants described in the report,” said David Weston, principal security group manager within Microsoft's Research & Development department, in a statement provided to SC Media. “Our research into prevalent and emerging ransomware families reveals that delivery campaigns can typically stretch for days or even weeks, all the while employing similar techniques that our systems automatically learn. As long as enterprises can quickly investigate the first cases of infection or ‘patient zero', they can often effectively stop ransomware epidemics.”

Check Point Software Technologies confirmed with SC Media via email that its researchers have also observed a sudden rise in CryptoLocker attacks. In just the last few days, the company discovered a phishing email campaign that distributes Cryptolocker via the JavaScript-based downloader malware Nemucod and specifically targets Dutch speaking victims, even though infections were actually observed in Germany and Eastern European countries.

The phishing emails attempt to trick recipients into opening a zipped HTML file. "The HTML contains JS file, which pulls a second JS file from an Amazon server, which executes the first one on memory," said Lotem Finklesteen, threat intelligence researcher at Check Point. "Then, after pulling two more JS files, CryptoLocker is served to the victim machine and being executed."

Check Point also found infections in Norway and France on the surface that sound similar to BleepingComputer's report, in that victims are infected via phishing emails with zipped JS files attached as downloaders. "The vast majority of the infections we observed this week were in the U.S. The second major target was Western Europe, especially Germany," said Finklesteen.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.