Ransomware email attachment demands Bitcoin payments

An email attachment seemingly sent from financial institutions could threaten millions of users, particularly those in the UK.

The legitimate looking email installs ransomware “Cryptolocker” after an attachment is opened, immediately encrypting files. It also unleashes a bogus countdown timer designed to force panicked users to pay immediately. According to the BBC, users are ordered to pay two Bitcoins, or around US$1233 to have the files supposedly unencrypted and restored.

However, the NCA says ransom payments are not endorsed as there is no evidence that files will be unencrypted after complying. Deputy head of the National Cyber Crime unit Lee Miles says the criminals are targeting small to medium businesses and must be stopped.

"The NCA are actively pursuing organised crime groups committing this type of crime. We are working in co-operation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public." 

This is not the first time a ransom virus has threatened PC users.  Earlier this year, the notorious FBI ransomware locked out users of their devices until a ransom was paid. Although the earlier form of malware is still widespread, Cryptolocker could pose even a greater danger in the long term.  

Neowin users are encouraged to practise safe browsing habits. Be wary of emails even if it appears it comes from trusted sources. Readers are also advised to scan files with a trusted and updated anti-virus program. Anyone affected by this malware should report it to local authorities immediately.

Source: BBC | Images via Hacker News, Bleeping Computer

Report a problem with article
Previous Story

Samsung Galaxy Gear smartwatch bombs with under 50,000 units sold

Next Story

Google to remove image from Google Maps that shows a murder investigation


Commenting is disabled on this article.

This ransomware is definitely concocted by someone really sinister, but I still think the name would have been cool for another product/service had it not been used this way.

These kinds of virus' are really messed up.

What has ever happened to people that got busted for writing things such as the FBI Warning, etc.

I think the writers of this kind of crap deserve the death penalty!

Viruses, Trojans etc , won't last long but THIS ? THIS is true haxxor , cursed of the cursed to have on your PC. Never thought about this and they surely scam victims alot ! I think that cloud is the answer. And brains too.
This is the God of viruses after the one wich hits nuclear stations.

Edited by Decebalvs Rex, Nov 19 2013, 9:40pm :

We dodged this at work last week - one of our users asked me about "Outlook settings" - he'd got an email supposedly from the administrator with an attachment. I scanned the attachment, deleted it and my boss sent out a warning. Then 2 days later I was reading an article about Cryptolocker which had a screenshot that looked _exactly_ like that email! Close call - it had apparently been sent to several people in the company.

I am sure it just encrypts the HEADER for files not the file itself. So it may be possible to get the file contents back it would just appear that the file is corrupt.

With a normal word document there are references and bits of text in cleartext all the way through the document, this is all gone with the encrypted version.

neowin said,
Neowin users are encouraged to practise safe browsing habits.

Fail. lol Neowin users would't be reading this site if they are not good! I know some will be bad at practise safe browsing habits. But hey...

All you have to do is save your stuff on the cloud...and if you get this email and you are a victim of this...just simply wipe the hard drive and re-install. And your private files are safe on the cloud till you are able to re-install the OS.

I also did a research on this a while back. It's known that one of the main contamination vectors is through email attachments, but not only.

Kind of old news. I was researching this a month or two ago. The cryptolocker does encrypt the files with RSA 2048bit encryption. It is virtually impossible to brute force this encryption. If you remove the virus with a virus scanner, your files will be encrypted forever. If you try to redownload the virus, they will simply encrypt your encrypted files which means you can never decrypt them, even if you pay it. There have been reports that paying the ransom does release your files if you don't remove the virus. It can jump across network attached storage. And downloading insecure attachments is NOT the only way to get a virus such as this. Hacked or malicious websites can use malicious scripts to drop viruses into your temporary internet files undetected, which can proceed to download more viruses. Use a strong anti virus, and use tools such as NoScript to limit scripts except on trusted websites. Backup important files to unattached storage mediums.

Those of you not running a backup at least enable Volume Shadow Copies to get the "Previous Versions" option.

Those of us with Windows 8 are a bit SOL since Microsoft, in their "infinite wisdom" disabled this feature for "performance reasons". File History won't save you, so don't rely on it. Research how to use WBADMIN to do a real backup.

Shiranui said,
a sample email would be nice.

They're different types. Common ones were FedEx or UPS consignment information or invoices from large retailers.

Generally the ransomware is an executable inside a zipped archive.

Yes it really does, supposedly you can risk paying it, but it does drop another virus on your computer. The bad part is, if you have a network drive, it will encrypt all Word, Excel, PDF and picture files on that network share that are accessible besides the local computer. Three of our customers have been hit so far with this. We had no real choice but to restore from backup.

Yep. This has been going around for a while now. Maybe it's news because they updated the ransom to include Bitcoins.

It encrypts certain filetypes (docx, xlsx, pdf, jpg etc) on all local and attached drives. There's no fix. You pay the ransom or you better have a recent backup (that wasn't attached at the time).

jefflang09 said,
Does it really encrypt the files? Is there a way to undo it?

Yes, it encrypts them and due to the method it's infeasible to decrypt (brute forcing) with current computing power. Paying the ransom does decrypt the files, or at least it did previously when they "only" asked for a few hundred dollars.

It makes sense for decryption to work because then word gets around and more people will go that route if they don't have backups and it won't be too much of a financial hit for businesses.

billyea said,
Apparently there is a fix, but I haven't verified the integrity of this myself (I've never gotten the malware, hope not to!)


Decrypt Protect != Cryptolocker

The link you provided is for a fix for files encrypted by Decrypt Protect which uses a single key and simple encryption.

Cryptolocker generates new keys for each attach on a remote server. Only the public key which is used to encrypt the files is available to the local user and the private key isn't known until the ransom is paid and it's downloaded from the server as long as the timer hasn't expired.

I haven't gotten a virus in years. I remember using McAfee antivirus, and that was the absolute worst antivirus software I've ever used. I got many viruses using McAfee anti-virus on Windows XP. Then I later found Avast and never gotten a virus since.

Geezy said,
Doesn't windows prompt you and tell you it's a security risk when you open any new executable file?
These stupid warnings pop up so often its second nature just to blindly click yes. I'm not stupid enough to open an email attachment, but I can see how the windows security stuff is totally useless. I click those stupid warnings like 10 times a day...