Crypt0L0cker is back picking Italy as its primary target

by Jake Doevan - -

Crypt0L0cker had been actively carrying out attacks on Australian and European users from 2013 through 2015[1]. During that period, the experts have been putting their best efforts to decrypt it. They may not have found the decrypter, but their struggles really paid off. In the middle of 2015, reports about infiltrations of CryptoLocker and its infamous “cousin” Crypt0l0cker died down. This happened soon after its main source of distribution, Gameover Zeus botnet,[2] was shut down. Nevertheless, a relief did not last long as the beginning of 2017 brought some new problems to the table. New Crypt0L0cker versions started emerging one after another and after learning that most of them are based on the original Cryptolocker code, the virus analysts were forced to admit — CryptoLocker is back, and it is spreading more actively than ever.

Image of cryptolocker return

The hackers behind CryptoLocker’s decided to start slow. They have created versions of CryptoLocker specifically designed for certain countries. Italian users were the first ones on the list[3]. In fact, the Italian virus versions which the analysts now call “Il tuo computer e stato infettato da Cryptolocker!” Ransomware was spotted towards the end of 2016, but it started taking a real form only in the beginning of this year. The twisted spam campaign that the hackers employed to spread this virus around has significantly extended its dispersion. In particular, the extortionists sent emails via Certified Electronic Email which is Italy’s primary form of email communication. Such emails typically arrive with a subject name such as Invio fattura n. _________ (Invoice number ________) and feature an attached Zip file labeled fattura_[6_random_numbers].zip[4]. Once the file is extracted and opened, CryptoLocker immediately takes hold of the computer and starts encrypting files. The main problem with these emails is that the use of security certificate makes users believe the contents of the attached files are legitimate and safe.

The success of the Italian virus has encouraged hackers to create more country-specific infections. Soon, the Russian version CryptoLockerEU and the Portuguese CryptON were released, and though their dispersion does not compare to the Italian one, they are gaining speed quickly. Be very careful if you live in any of the mentioned countries. Frankly, anywhere nowhere in the world is safe as long as there is network connection. Thus, you must take active measures to prevent ransomware attacks or at least diminish their consequences.[5]


Read in other languages