New Massive Wave of CryptoLocker Ransomware Infections
We all thought that evil genius Evgeniy Bogachev had retired at the Black Sea with his tens of millions of ill-gotten gains after he became the FBI's #1 Most Wanted cybercriminal. Well, perhaps he ran out of money.
CryptoLocker is back big time. Researchers have spotted a sudden resurgence this year, specifically identifying clusters of attacks in Europe and the U.S.
For people new to the ransomware racket, Russian cybercrime gangs tend to test and debug their campaigns in Europe, and then attack America in full force. CryptoLocker is ransomware's still very potent granddaddy, and pioneered this highly successful criminal business model in September 2013, hundreds of copycats followed.
In a blog post our friend Larry Abrams from BleepingComputer wrote that the strain -- also known as Torrentlocker and Teerac -- started its comeback toward the end of January 2017, after being quiet the second half of 2016.
Larry pointed to stats from the ID-Ransomware website which show CryptoLocker infections jumped from a just handful to nearly 100 per day to more than 400 per day by February.
He also confirmed CryptoLocker's recent tsunami with Microsoft's Malware Protection Center, whose telemetry picked up on increased attacks against Europe, especially Italy. The phishing emails are designed to look secure and official because they are digitally signed, but it is all just social engineering to trick the recipient and get them to open attached .JS files that download and install CryptoLocker.
Check Point Software Technologies confirmed with SC Media that its researchers also observed a sudden rise in CryptoLocker attacks. The phishing emails attempt to trick recipients into opening a zipped HTML file. "The HTML contains a JS file, which pulls a second JS file from an Amazon server, which executes the first one in memory," said Lotem Finklesteen, threat intelligence researcher at Check Point.
"Then, after pulling two more JS files, CryptoLocker is served to the victim machine and being executed. The vast majority of the infections we observed this week were in the U.S. The second major target was Western Europe, especially Germany," said Finklesteen.
Ransomware as a global threat
Microsoft's Malware Protection Center blog stated: "Ransomware proved to be a truly global threat in 2016, having been observed in more than 200 territories. In the US alone, ransomware was encountered in more than 460,000 computers or 15% of global encounters. Italy and Russia follow with 252,000 and 192,000 ransomware encounters, respectively. Korea, Spain, Germany, Australia, and France all registered more than 100,000 encounters.
Let's stay safe out there.
Steven Weisman, Esq. warned against this scam and wrote March 5th:
"Mystery shoppers are people hired to shop at a particular store and report on the shopping experience for purposes of quality control. Unlike many scams, there actually are legitimate mystery shopper companies, but they never advertise or recruit through emails."
How this scam works is when a victim falls for the recruiting email, they are sent a bogus bank check that the bad guys ask them to deposit and then use for their "mystery" shopping. They spend some of the money on the goods that they buy, and are instructed to keep some of the balance of the check as payment for their services. However, the angle is that the victim gets instructions to return the remaining funds by a wire transfer. Obviously, the check is counterfeit, but the money that the victim transfers by wire is all too real. Here is an example of a recent mystery shopper Scam of the Week email:
I suggest you send the following to your employees, friends, and family. You're welcome to copy, paste, and/or edit:
"Mystery Shopper" scams continue to snare unwary victims. Mystery shoppers are people hired to shop at a particular store and report on the shopping experience for purposes of quality control. Unlike many scams, there actually are legit mystery shopper companies, but they never advertise or recruit through emails. Here is how this scam works:
You get a bank check they ask you to deposit immediately and then go shop, and they say you get to keep some of the money as well. But the scammers ask you to wire the remaining money back to them right away. And as you might have guessed, their check is bogus but the money you wire back is real, and it's yours.
Here is a general safety rule: Whenever you receive a check, wait for your bank to tell you that the check has fully cleared before you consider the funds as actually being in your account. Never accept a check for more than what is owed with instructions to send back the rest which is a major red flag. Last, always be very wary whenever you are asked to wire funds because this is a common theme in many scams.
Think Before You Click!
Everyone makes mistakes, but do they know it or know what to do next?
Ira Winkler wrote in his column at CSO: "When I realized I did something “stupid”, the important question was, “What do I do next?” I figured it out. Can your users?
First, does your awareness program provide specific examples of what to avoid, or does it provide blanket guidance for how to behave. In this case, while it wasn’t the predefined scam, what I experienced had the same effect. Does your phishing training teach people how to recognize the simulated phishing messages, or phishing messages in general?
Does your social engineering program teach people to recognize specific scams, or all general scams? You need to be very sure you’re teaching people the right things. More:
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, March 8, 2017, at 2:00 p.m. (EST) for a 30-minute live product demonstration of KnowBe4's Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
- NEW Social Engineering Indicators patent-pending technology, turns every simulated phishing email into a tool IT can use to instantly train employees.
- NEW Access to the world's largest library of awareness training content through our innovative Module Store.
- Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
- Active Directory Integration allows you to easily upload, sync and manage users, set-it-and-forget-it.
- Reporting to watch your Phish-prone percentage drop, with great ROI.
Register Now: https://attendee.gotowebinar.com/register/3367146988510458370