Security Alert: The Global “Get Your Cryptolocker as a Package” Campaign Continues

It’s a regular day and you’re busy at work, scrolling through emails and trying to figure out which to answer first. You notice one email from the post office and immediately click on it to see what it’s about: the postman didn’t find you home, so you have to go to the post office yourself to get your package.

But there’s a catch.

Once you click on the link in the email, you’ll be redirected to a website that automatically downloads an executable file. In just a few seconds, your hard drive and all the data on it will be encrypted and a message will pop up asking for a hefty ransom if you ever want to regain control of your PC again.

Verdict: you’ve just become a victim of a Cryptoware attack!

Why the post office emails scam still works

Cyber criminals have been deceiving unsuspecting Internet users for a few years by using the post office emails scam. People fall for it, because the post office is one of the most familiar institutions for them, which they trust. They never give it a second thought before clicking on a link in that email and they never check the sender’s email address. These are fundamental mistakes that cyber criminals are aware of and take advantage of consistently.

Attackers are smart about it too: the spam campaigns that infect users around the world with Cryptoware are localized, meaning they only target users in a specific country at a time, and the emails are translated correctly and use the right visual elements to trigger instant action from the recipients.

More than a few countries have already been hit, mostly developed countries, because cyber criminals know that, in order to get a high return on investment on their attacks, they must aim for rich victims who can afford to pay the ransom and who store important data on their PCs.

United States residents were tricked by the post office email scam in 2011, followed by a fake DHL spam campaign in 2013, one in 2014 and the latest in early 2015.

The UK followed suit at the beginning of 2014, with people falling for the fake Royal Mail scam.

Australia was hit next in late 2014, and Italy and Spain became targets next in May 2015.

A different version of the same scam, where attackers posed as both energy service providers and postal delivery services tried to compromise PPCs belonging to Internet users’ across Europe (Italy and Norway were the main targets).

Now Denmark has become their newest target and we have all the details about the attack.

Denmark — the latest victim cyber criminals set their eyes on

The latest Cryptolocker campaign our team has identified brought out this old favorite among the vast array of tactics that cyber criminals use.

Unsuspecting users from all over Denmark received emails pretending to be delivered by Post Denmark or PostNord which hosted malicious code that was identified as Cryptolocker2. This strain of Cryptoware uses the same infrastructure also observed in Zeus GameOver and Shylock, the notorious banking malware, part of The Top 10 Most Dangerous Malware That Can Empty Your Bank Account.

The attackers behind this scam have refined their tactics to keep their anonymity by using multiple hosting providers around Europe to hide their traffic. A DGA (Domain Generation Algorithm) is also employed for the same purpose.

This new strain of ransomware even has its own name on the dark web: “crypt0l0cker“.

Cryptolocker2 (aka crypt0l0cker) has its own set of evasion tactics that it uses in order to trick traditional antivirus products into not detecting it. These include new ways to avoid anti-debugging and sandbox actions, but also a new right-escalation method to force access to legitimate windows processes through injection.

In the malicious email there is a link that, if clicked, will redirect users to a web page that will download the following:

forsendelse.zip -> forsendelse.exe

The infection chain will then adopt the following path:

http://dshome.ru/cLkKV6jnihC5g.php?id=(email address of the recipient) (1) -> postdanmark-portal.com -> forsendelse.zip (2) -> sync.security.pp.regruhosting.ru

If the downloaded file is opened by an unknowing user, the Cryptoware “crypt0l0cker” will be dropped on the PC, where it will infect itself in several processes, continuing the infection by encrypting all of the locally stored data, as well as the data available in network-connected devices.

Trying to reproduce the infection process will only redirect to Google by using a complex referral process, which is another dodgy way to avoid detection or reverse-engineering.

The malicious binary code will copy itself to the Windows folder with a randomly selected filename (for example: “Ksdfsdlp.exe”) and then it will try to connect to a server in Russia with the following IP address (sanitized by Heimdal Security): 109 120 [.] 155,159. Cryptolocker2 does this by injecting itself in the explorer.exe process. The malicious server is translated via DNS from the following domains:

ejkoesc [.] net oroxwey [.] com mqweodhy [.] com

Loss of data and massive disruption happen as a result of this attack. All the data on the victim’s PC will be added the “.encrypted” file extension, and a “HOW_TO_RECOVER_FILES.html” file will be created on the desktop. The victim will find instructions for payment in it, detailing how the user can regain access to their data which is now being held for ransom.

The malicious code will not stop here, but will continue to make sure that a restart will not disable the ransomware infection by running the following value:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows CurrentVersion \ \ Run agukelub

Moreover, this strain of Cryptolocker2 will also disable various anti-phishing filters such as:

HKEY_USERS \ Software \ Microsoft \ Internet Explorer \ Phishing Filter Disabled

Antivirus detection is extremely low in this campaign (VirusTotal score: 2/56), which makes it very dangerous to both home users and users in corporate environments.

Click here for the full VirusTotal page detection rates at the moment when the campaign was discovered.

How to get protected from Cryptolocker2

Without having any or little basic knowledge about cyber security, home users and even users in companies of all sizes are sitting ducks for cyber criminals. That’s why education is so important when it comes to online threats (and many other dangers), a need that will only continue to increase as time goes by.

There are a few important security provisions to take in order to prevent a Cryptolocker2 infection, and the keywords are simple:

• Install the latest software updates
• Use a reliable antivirus product and other security tools that can protect you with multiple layers
• Employ a specialized tool against financial stealing malware and ransomware threats that can detect and block attacks like the one involving Cryptolocker2, which traditional antivirus has a very difficult time detecting
• Keep constant back-ups of your data in at least 2 different places (in the cloud and on an external hard drive)
• DO NOT CLICK in emails from unknown senders (caps intended here) and verify the sender before clicking on links sent by seemingly familiar senders
• Learn how to detect cyber threats and how to protect yourself from them.

For a more comprehensive security guide against ransomware, with free resources and guidance, download the dedicated PDF from the blogpost.

Conclusion

There are too many Internet users who are unaware of the dangers of Cryptoware and that’s exactly what makes it so dangerous. There’s no telling what country cyber criminals will set their eyes next, but it could be yours, so you need to be prepared to handle a cyber attack, not just in terms of tools, but also in terms of knowledge (that will help you choose the right tools and course of action).

The Cryptoware problem is beginning to be more and more prominent all over the world, usually bringing about dire consequences for those who are not prepared to defend themselves or who do not employ the best practices when it comes to personal or corporate data management.

So if you found this article useful, share it with someone who you believe would benefit from it. It’s not too late to protect yourself and those you love.