14 DAY TRIAL // Heimdal Security is reporting on a new email campaign that poses as the Danish post office, luring users into accessing a website where they're infected with the Cryptolocker 2 ransomware.
According to Heimdal Security researchers, the attack timeline starts with users receiving an email that masquerades as coming from the Danish post office.
The email informs the user that they were not home when a package was supposed to be delivered, so they must click on a link to read more information.
When this happens, the user will be taken to a website where they'll be force-fed an executable file, which within seconds installs the Cryptolocker ransomware on their PC.
This malware string will then move on to encrypt crucial files on the hard drive, and send the encryption key to a server controlled by the attackers.
To get access back to their files, the user must pay a hefty ransom, usually in Bitcoin.
The campaign is only active in Denmark, has very low detection rates on VirusTotal
According to Heimdal security researchers, the campaign is only active in Denmark right now, being a variation of an older Royal Mail scam that hit Britain, and then other countries like the US, Norway, Italy, Spain, and Australia.
What made the diagnosis of this infection even harder was the fact that the link would redirect users to the page where Cryptolocker was hosted only the first time. After that, users would be redirected to Google, a security measure that was put in place to avoid reverse engineering by security researchers.
As Heimdal researchers point out, this campaign seems to be run by Russian criminals, using some Russian domains and a Russian IP for the C&C server.
Right now, the detection rate for this Cryptolocker strand is very low, just 2 antivirus engines out of 56 on VirusTotal.
