A new ransomware email campaign detected in the fake email messages sent by either PostNord or Post Denmark, identified as Cryptolocker2.
Hackers are targeting the Denish citizens with ransomware using a traditional method, which is by sending them an email message falsified to be delivered by Danish post office informing them that their package was unable to reach the destination, ultimately requiring the targeted victim to click on a provided link to read more information about the package.
Clicking on the provided link will redirect the victim to a website infected with a malicious script that automatically downloads an executable malicious file, “forsendelse.exe”, onto the system. Within a few minutes, that malicious file will be executed automatically encrypting the hard disk, all the data stored on it as well as the data found in the network-connected devices, then a message will pop up demanding a hefty ransom in order to decrypt and regain access to all the data.
All of the data locally stored in the hard disk will remain encrypted and the computer will be useless until the demanded payment has been made to the attackers.
The malicious code is so powerful that it even modifies the registry values of the “HKEY_LOCAL_MACHINE” so that the ransomware can autorun itself during the Windows start-up process. Furthermore, it also disables the anti-phishing filters through the registry.
The Cryptolocker2 encryption could also lead to a massive loss of data because the extension of all the files stored in the victim’s computer will be changed to “.encrypted” format. Furthermore, a new HTML file named “HOW_TO_RECOVER_FILES.html” will be created on the desktop, where all the instructions will be outlined so that the victim can make a payment and regain access to their data.
Andra Zaharia of the Heimdal Security has reported in a blog post that the attackers behind this ransomware campaign use multiple approaches to maintaining their anonymity such as the usage of several hosting providers to hide their traffic as well as the usage of Domain Generation Algorithm (DGA).
The ransomware code that is being used by hackers has been identified as Cryptolocker2 and has its own identity on the dark web, which is “crypt0l0cker.” It has been explicitly designed with a dodging technique using which it goes undetectable by the antivirus program.
According to Zaharia:
“Antivirus detection is extremely low in this campaign (VirusTotal score: 2/56), which makes it very dangerous to both home users and users in corporate environments.”
Keeping your system clean from ransomware email is not a rocket science. All you need to do is to NEVER click or download email attachments sent by unknown users.