Variant of CryptoLocker makes an unwelcome appearance.
Spam emails disguised as messages from local post offices – but actually packing the latest variant of the CryptoLocker ransomware – are being flung at surfers in Scandinavia.
Heimdal Security reports that emails referring to an undelivered package and written in local languages are actually attempts to trick prospective marks into visiting a dodgy website, which is nothing to do with local postal carriers.
These hacker-controlled websites attempt to trick users into downloading and opening a file contaminated with the CryptoLocker2 ransomware.
“Cryptolocker2 (AKA crypt0l0cker) has its own set of evasion tactics that it uses in order to trick traditional antivirus products into not detecting it,” Heimdal Security reports.
“These include new ways to avoid anti-debugging and sandbox actions, but also a new right-escalation method to force access to legitimate windows processes through injection,” it said.
Windows users in Denmark, Sweden and Norway are all in the firing line of a series of ongoing crimeware spam runs, Heimdal Security warns. The basic tactics in play have previously been used to sling malware at surfers in the US, UK, Australia and elsewhere, posing as messages from DHL and other postal carriers, while the same infrastructure has previously been associated with the distribution of Zeus GameOver and Shylock.
In related news, Trend Micro separately reports that ransomware scumbags have moved away from targeting consumers and are now tailoring their attacks to extort money from small- and medium-sized businesses.
SMEs are a sweet spot for criminals since many lack the security defences and backup set-ups that provide insurance against ransomware attacks found in larger enterprises.
The same would apply to consumers, but small businesses are a more attractive target from the perspective of cybercrooks because they are likely to have more money to hand.
The focus on SMEs is most evident in attacks slinging either TorrentLocker and CryptoWall, two of the more persistent and high-volume ransomware variants doing the rounds, Trend Micro reports.