Tens of millions of online banking customers in the U.K. are the targets of a dangerous spam campaign enticing users to open an attachment containing the CryptoLocker ransomware.
The U.K.’s National Crime Agency’s National Cyber Crime Unit posted an advisory late last week warning people to be vigilant about opening email attachments, in particular those from small- and medium-sized banks and financial institutions.
“The emails may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular,” the advisory said. “This spamming event is assessed as a significant risk.”
The attachments purport to be about a number of potential issues with a user account, including details of suspicious transactions, invoices, voicemails or faxes. Instead, they drop the ransomware on the victim’s machine.
“The NCA are actively pursuing organized crime groups committing this type of crime,” said Lee Miles, Deputy Head of the NCCU. “We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public.”
US-CERT issued an advisory two weeks ago about a spike in CryptoLocker infections. Unlike other ransomware scams, CryptoLocker is capable of finding and encrypting files from a number of network resources and then displaying a banner to the victim demanding a ransom for the decryption key. A clock on the banner ticks down to a time when the private key will be destroyed. More familiar ransomware schemes put up a similar banner, but will lock a user out of their machine until the ransom is paid.
The attackers, in this case, are demanding £536, according to the NCA, which is approximately $850 US. Victims are told they have to make their payments to the attackers via Bitcoin or MoneyPak.
Much like law enforcement in the U.S., the NCA advises victims not to pay the ransom demand, adding the caveat that there is no guarantee the criminals would decrypt the files in question. Instead, the NCA asks victims to report CryptoLocker infections to Action Fraud, the U.K.’s national fraud and Internet crime reporting center.
CryptoLocker has been in circulation for a few months, but infections started surging last month, according to a US-CERT advisory. In the U.S., the attackers have found success using phone Federal Express or UPS tracking notification emails as a lure.
The malware sniffs out files in a number of network resources, including shared network drives, removable media such as USB sticks, external hard drives, network file shares and some cloud storage services.
“If one computer on a network becomes infected, mapped network drives could also become infected,” the US-CERT advisory warns, adding that victims should immediately disconnect their computers from their wired or wireless networks immediately upon seeing the red-screen notice put up by CryptoLocker that provides details on how to recover the encrypted files.
Upon infection, the malware establishes contact with the attacker and stores the asymmetric encryption key there. Researchers at Kaspersky Lab said CryptoLocker uses domain generation algorithm to generate up to 1,000 domain names from which to connect to the attacker’s command and control infrastructure. During a three-day period in October, more than 2,700 domains tried to contact three CryptoLocker domains sinkholed by Kaspersky.