The holiday season often means a lot of activity for couriers and parcel services, as people turn to online shopping and begin to send their gifts to far-flung loved ones. As such, it wouldn’t be too surprising to receive a notification or memo about a specific package that’s meant for you.
Cybercriminals are aware of this and have begun using parcel delivery as the social engineering lure for recent crypto-ransomware attacks in the EMEA (Europe-Middle East-Africa) region. This is a marked shift as previous attacks involved invoices and financial statements.
Based on feedback collected via the Trend Micro Smart Protection Network, certain countries have become the top victims of crypto-ransomware for the last three months. Looking at the charts below, we can see that Spain, France, Turkey, Italy, and the UK are among the “consistent” victims of crypto-ransomware.
Figure 1. Top infected countries in the EMEA region, September 2014
Figure 2. Top infected countries in the EMEA region, October 2014
Figure 3. Top infected countries in the EMEA region, November 2014
The Road to Infection
Crypto-ransomware variants almost always have the same routine. The victim receives an email, which contains a link or an attachment. Social engineering ensures that the victim clicks the link or opens the attachment, which is actually a malicious file. In this particular example, the email talks about a received package.
Figure 1. Sample message
Should the recipient click the link, he is redirected to another site, where he must enter a CAPTCHA code. This site is a spoofed version of a courier site.
Figure 2. CAPTCHA code is required to access the file
After the CAPTCHA code has been entered, it triggers the download of an archive file. But before the final payload—file encryption—is executed, the user still has to extract the malicious file. We detect this particular variant as TROJ_CRYPLOCK.WJP.
Figure 3. A ZIP file is downloaded
(Not) Paying the Ransom
Victims might be tempted to resolve the issue immediately by paying the fee. However, there are no guarantees that payment will equal decryption. Some crypto-ransomware variants even offer a free sample decryption, but again, this is more likely a ploy to convince users that decryption is possible and further encourage the victim to pay the fee.
Our blog entry, Defending Against CryptoLocker, speaks at length about the steps a user or enterprise can take in order to protect computers and files from crypto-ransomware. These security measures include setting up email policies to block potential threats via attachments and installing anti-spam or email scanning solutions.
Users can also reconfigure some settings to add another layer of protection. For example, they can configure their macro security level to high or disable them completely, as we are seeing macros being used in attacks. Users can also check that the User Access Control (UAC) settings are enabled to prevent malicious applications from allowing themselves to auto-run with administrator rights.
It’s important that users and enterprises employ security solutions to protect their devices and keep these solutions updated. They should look for features such as real-time scanning, which can detect and block malicious files in real time, web reputation to block any malicious sites and communication, and email reputation to scan for potential threats in emails. Behavior monitoring can also be greatly improve a system’s security as it can look and block routines that are suspicious and malicious.
Enterprises can protect their systems with Trend Micro’s Custom Defense Solution. Deep Discovery Email Inspector can help detect and block malicious emails before they get delivered to the targeted user by analyzing the attack from different perspectives, together with the forensic tools provided by Deep Discovery Endpoint Sensor in order to perform an investigation in your network to identify specific items (files, registry keys, processes, etc.) related to the threat. Deep Discovery Email Inspector will also send flagged attachments to Deep Discovery Analyzer for analysis. Analyzer sends these files to a customized sandbox, where it
can safely execute and analyze potentially malicious code. A detailed summary are then delivered to the submitter.
Hash of the mentioned malware: