During the past two weeks several of our customers have been infected by the Cryptolocker virus. While their antvirus software has partially defended them against the threat, this was not before a number of files were encrypted.
In both cases it was identified that scam emails claiming to be from The Royal Mail, tricked victims into downloading CryptoLocker ransomware.
Two email types have been received, both stating that the Royal Mail are holding an item for them and that a response to the email is required to arrange for the item to be collected / resent.
1. The email informs the recipient that a parcel could not be delivered and that it is waiting for collection. The email encourages the recipient to click on a link within the email for further information. The link takes the recipient to a fake Royal Mail webpage as requests a code (delivered within the original email). Once the code has been entered the recipient is instructed to download an application which then downloads and installs the ransomware.
2. The email informs the recipient that they are holding a letter and that there will be a £5 per day charge if the letter is not collected. It then goes on to instruct the recipient to click on a link to request that the letter is resent. It is the clicking on this link which initiates the ransomware infection.
From the samples which we have seen, the emails have been sent from RoyalMailParcelpacketinfo@championmailservice.com or slight variations of this.
The ransomware encrypts files which are accessible by the recipient, if the machine is connected to a network and has drive mappings to file storage locations, it will attempt to encrypt these locations as well.
The recipient will receive a popup requesting a payment to decrypt the files, this starts around £300-£360, rising to £600-£660 if not paid within a period of time.
While there are reports of data being un-encrypted once the ransom has been paid, in most if not all cases, it is advised that data is restored from backup.
IMEX advises that its customers should take the following steps to reduce the potential for falling victim to this type of malware:
• Look at who the email is addressed to, is it generic or specifically addressed to yourself.
• Check the address of any email received to see if it appears legitimate, you may need to double click on the “email from name” to see the full address.
• Do not click on any link within the email, you can hover over the link to see the destination but if unsure, go to the relevant website and log in from there.
• Look at the quality of the graphics and content included within the email, are they high quality, does the content read well, if not be suspicious.
• Do not open attachments from unsolicited emails regardless of who they are from as the “from address” can also be fake (spoofed)
You can report a fraud and receive a police crime reference number, call Action Fraud on 0300 123 2040 or use the online fraud reporting tool.
If you wish to discuss the article above or ways of minimising your vulnerability to attacks such as this, please don’t hesitate to get in touch.