Security software provider ESET reports that it has received multiple reports of a new malware-spreading campaign in various countries, mostly in Latin America and Eastern Europe. It starts with a fake email purporting to contain a fax, but is in reality a campaign to spread malicious code. The code encrypts the victim’s files and is then used to extort a ransom in bitcoins for retrieval of the encrypted information.
Called CTB-Locker Ransomware, the malware has caused headaches for thousands of users. Poland, Czech Republic and Mexico iare the most affected, as shown in the following graphic:
The attack began with a fake email arriving in the users’ inbox. The subject of the email pretends that the attachment is a fax; the file is detected by ESET asWin32/TrojanDownloader.Elenoocka.A. If you open this attachment and your antivirus software does not protect you, a variant of Win32/FileCoder.DA will be downloaded to your system; all your files will be encrypted and you will lose them forever, unless you pay a ransom in bitcoins to retrieve your information.
Files with extensions such as mp4, .pem, .jpg, .doc, .cer, etc. are encrypted by a key, which makes it virtually impossible to recover the files. Once the malware has finished encrypting user information, it displays a warning and also changes the desktop background with a message similar to that seen in the image below:
Another peculiar detail of CTB-Locker is this: not only is the message shown to the user in different languages , but it also displays the currency appropriate to that language. If the user chooses to view the message in English, the price is in US dollars, otherwise the value will be in Euros.
While the encryption technique used by CTB-Locker makes it impossible to recover files by analysing the payload, there are certain safety measures that are recommended for users and companies:
· If you have a security solution for mail servers, enable filtering by extension. This will help by allowing you to block malicious files with extensions such as .scr, as used by Win32/TrojanDownloader.Elenoocka.A
· Avoid opening attachments in emails of dubious origins where the sender has not been identified.
· Delete emails or mark them as spam to prevent other users or company employees being affected by these threats.
· Keep security solutions updated to detect the latest threats that are spreading.
· Perform up-to-date backups of your information.
Mitigating such attacks is no simple task, and you need to take a proactive stance by supporting security technology with awareness and education.