CryptoLocker Ransomware Springs on Scandinavians
Malicious operators are now delivering emails with links to malware-delivering websites that download ransomware to unsuspecting PC users in Scandinavia, reports Heimdal Security.
Here’s how the scam works, as explained by Andra Zaharia of Heimdal Security:
- Unsuspecting users have a legitimate-looking email delivered from the post-office, claiming that the user’s address wasn’t located by the postman.
- The email contains a link that redirects to a website where the user is then encouraged to go to the post office in order to pick up the undelivered package.
- Meanwhile, the website has pushed an automatic download onto the user’s computer. Predictably, the download is an executable file.
- Within seconds, the malware encrypts all data on the user’s hard drive before popping up with a message demanding ransom in exchange for the user to gain control of his/her PC.
“Cyber criminals have been deceiving unsuspecting Internet users for a few years by using the post office emails scam. People fall for it because the post office is one of the most familiar institutions for them, which they trust,” explains Zaharia.
CryptoLocker 2, the Latest Variant of the Evolving Ransomware
The latest malware delivered to Scandinavian users is the CryptoLocker 2 ransomware, aka crypt0l0cker, as it popularly referred to on the dark web.
Users all over Denmark are the targeted recipients of the latest batch of ransomware in emails pretending to be sent from PostNord or Post Denmark.
The screenshot, as gained by Heimdal Security, shows the link within the email that, when clicked, will redirect unsuspecting users to a website that will download the file ‘forsendelse.zip’, containing the executable file, forsendelse.exe.
The malicious operators wielding the ransomware campaign are clever about their operation too, by targeting users in a specific country or region at a time. Such specificity ensures that fake emails are translated into the local language correctly and use all the visual cues and indicators to seem like a legitimate email.
It doesn’t stop there with Cryptolocker 2.
Cryptolocker 2 has its own set of evasion tactics that it uses to trick traditional antivirus products into not detecting it. These include new ways to avoid anti-debugging and sandbox actions, but also a new right-escalation method to force access to legitimate Windows processes through injection, added Zaharia.
The malware isn’t flagged by most anti-virus filters either, with only 1 out of 56 AV scanning engines detecting the malware when the campaign struck Danish users.
Images from Shutterstock, Heimdal Security, and Flickr.