Over the past few days, ESET has received multiple reports of malware-spreading campaigns in various countries, mostly in Latin America and Eastern Europe.
A fake e-mail purporting to contain a fax is in fact nothing more than a campaign to spread malicious code. Of course, the ultimate goal is to encrypt their victims’ files and then to extort a ransom in bitcoins for retrieval of the encrypted information.
CTB-Locker Ransomware has caused headaches for thousands of users. Poland, Czech Republic and Mexico are the countries most affected.
The attack began with a fake e-mail arriving in the users’ inbox. The subject of the e-mail pretends that the attachment is a fax; the file is detected by ESET asWin32/TrojanDownloader.Elenoocka.A.
If you open this attachment and your antivirus software does not protect you, a variant of Win32/FileCoder.DA will be downloaded to your system; all your files will be encrypted and you will lose them forever, unless you pay a ransom in bitcoins to retrieve your information.
Files with extensions such as mp4, .pem, .jpg, .doc, .cer and so on are encrypted by a key, which makes it virtually impossible to recover the files. Once the malware has finished encrypting user information it displays a warning and also changes the desktop background with a message warning that files are about to be corrupted.
Another peculiar detail of CTB-Locker is that the message is shown to the user in different languages – and it also displays the currency appropriate to that language. If the user chooses to view the message in English the price is in US dollars, otherwise the value will be in Euros.
While it’s true that the encryption technique used by CTB-Locker makes it impossible to recover files by analysing the payload, there are certain safety measure that is recommended for users and companies:
* If you have a security solution for mail servers, enable filtering by extension. This will help by allowing you to block malicious files with extensions such as .scr, as used by Win32/TrojanDownloader.Elenoocka.A.
* Avoid opening attachments in e-mails of dubious origins where the sender has not been identified.
* Delete e-mails or mark them as spam to prevent other users or company employees being affected by these threats.
* Keep security solutions updated to detect he latest threats that are spreading.
* Perform up-to-date backups of your information.