Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cryptolocker Infections on the Rise; US-CERT Issues Warning

The Cryptolocker (also known as Crilock) ransomware attacks are showing no signs of slowing down with one anti-malware company counting more than 10,000 infections in the United States alone.

The Cryptolocker (also known as Crilock) ransomware attacks are showing no signs of slowing down with one anti-malware company counting more than 10,000 infections in the United States alone.

The malware, which encrypts files on infected machines and demands a ransom for decryption, has been spammed to “tens of millions” of computer users in the U.K., prompting a warning from the National Crime Agency to be on the alert for this virulent threat.

According to Bitdefender, about 12,000 infected hosts tried connecting to domains associated with Cryptolocker during a one-week period at the end of October.

By early November, the malware had infected about 34,000 machines, predominantly in English-speaking countries, according to Microsoft.

“During that period, 12016 infected hosts tried to contact the sinkholed domains; the majority of connection attempts came from US-based IP addresses. in fact, judging by the distribution of infected hosts and the payment methods available, it would seem that only systems in the US are targeted, with the rest being collateral damage,” Bitdefender said in a blog post.

The U.S. Computer Emergency Response Team (US-CERT) notes that Cryptolocker is spreading fast through fake e-mails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.

“In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground,” US-CERT warned.

Once a machine becomes infected, Cryptolocker finds and encrypts files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.

Advertisement. Scroll to continue reading.

If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach. Victim files are encrypted using asymmetric encryption, according to an advisory from US-CERT.

The attackers are retrieving payments through third-party payment systems like Bitcoin and MoneyPak but some infected users are claiming they paid the attackers and never received a decryption key.

US-CERT is encouraging computer users and administrators experiencing a ransomware infection to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

The following mitigation guidance is available for users dealing with a Cryptolocker infection:

– Immediately disconnect the infected system from wireless or wired networks. This may prevent the malware from further encrypting any more files on the network.

– Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware.

– If possible, change all online account passwords and network passwords after removing the system from the network. Change all system passwords once the malware is removed from the system.

– Backup your data. According to Microsoft, the best defense against your data being encrypted by CryptoLocker/Crilock is to have a backup of your files.

 

*Updated with additional data and mitigation advice from Microsoft

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.