Australia specifically targeted by Cryptolocker: Symantec
- 03 October, 2014 15:45
Australian is increasingly being hit by cryptomalware, according to Symantec.
Symantec Pacific region technology senior director, Sean Kopelke, said malware such as Crytolocker continues to spread through email-based social engineering and affect Australian victims.
“When you look at Crytolocker, the most important thing from the hacker’s point of view is the success of getting people to open these up,” he said.
What Symantec found with previous versions of Cryptolocker is it needs to be focused on a particular region to succeed.
“They customise letters to make them looks as if they came from an Australian postal delivery company, energy supplier, or bank, so that’s why the crytomalware has become specific for Australia,” he said.
Fooling the gatekeeper
Kopelke has also seen clever tactics employed by cybercriminals to circumvent security to reach a user and get them to click on a link.
“When a malicious mail came through in the past, what a lot of security technologies would do is find the embedded URL and follow it through to the end,” he said.
“If it knows it is malicious, it will not allow that email to come through.”
However, hackers noticed their malware was being caught, so they started putting a capture form at the end that requiring the user to input text to make it go through.
The malicious servers would also be turned off at the other end, so when the security would scan the email and follow the link to the end, nothing malicious would be found at the end.
“The servers would be started in the morning, as that is when people would come to work, check their inbox and click the link in the email,” Kopelke said.
Same but different
Symantec’s research has found the Trojan.Cryptolocker.F family is the main type of cryptomalware affecting Australian victims.
With this variant, Kopelke said cybercriminals have changed the way they get through to systems.
“It is quite different to the old Cryptolocker, to the point where it is not the same as the original malware,” he said.
“The outcome is the same, where it encrypts data and demands a ransom, but the technologies and code is significantly different.”
Kopelke said even referring to it as a variant is a “stretch,” though admits cybercriminals have latched on to the word Crytolocker because the “brand recognition” from a hacker’s point of view is “quite strong.”
“If victims are caught by Cryptolocker and don’t have a good backup, attackers hope they will pay the ransom if they feel the likelihood of decrypting the data is low,” he said.
Because cybercriminals have tasted some success with crytpmalware in the Australian region, Kopelke expects them to continuing with this targeted focus.
Patrick Budmar covers consumer and enterprise technology breaking news for IDG Communications. Follow Patrick on Twitter at @patrick_budmar.