New Cryptolocker Threat

The support team have recently noticed a resurgence in campaigns using socially engineered emails. These emails are designed to get you to click on links contained within the email. Clicking on these links will open seemingly harmless PDF files or Word documents but will actually infect your PC\servers\networks with all sorts of nasties including the ever feared Cryptolocker/Cryptowall (and its growing list of variations) which encrypt your local, network, cloud-based and USB connected files so you can't access them without paying a large sum of money.

This is just a friendly reminder to be on guard and vigilant. Please make sure you continue to spread the message to all staff in your organisation. Crypto based intrusions are incredibly hard to stop and although we deploy gateway firewalls, mail screening and local antivirus programs, these campaigns and the included payload delivery methods are quite sophisticated and are designed by nature to bypass network defence mechanisms. 

The biggest weakness of these emails is that they require the user to actively click the link and open whatever file is on the other end. They do not send infected files within the email as the various layers of defence we wrap around your IT infrastructure would simply block and delete the email. But this weakness is also the scam’s biggest strength as it only takes one user in your organisation to be fooled into clicking on an embedded link to get a copy of “their infringement” or to access “their bank statement" to infect your network.

Although these emails are engineered to look like the real thing, there are some very easy ways to check their validity.

Take the below recent example.

The first thing that should stand out is that the AFP doesn’t send out traffic notices, let alone via email. The content grammar is also very poor. This should be the first red flag.

Secondly, if you hover over any of the links, it will show you the web address it will be trying to redirect you to. In the below example, the links go to a website in Kazakhstan (.kz) called lavkachudes, so straight away we know this is not legit and should be deleted.

Thirdly, a common theme with malicious emails is they don't contain any addresses in the To: field in the email header. Legitimate emails will have your email address in the To: field because they would have acquired it from you directly at some point. 

Remember, if you ever have any doubt, feel free to forward our support team the email or even take a screen shot and send it to us. We can let you know straight away if it’s a scam or not and potentially save you hours of frustration and data restoration.