back to article File-NUKING Cryptolocker PC malware MENACES 'TENS of MILLIONS' in UK

The infamous Cryptolocker malware, which encrypts your computer files and demands a payment of £534 ($860) to unlock them, may have been sent to "tens of millions" of Brits, Blighty's crime-busters warned today. According to an alert from the UK National Crime Agency (NCA), a fresh round of ransomware-loaded spam posing as …


This topic is closed for new posts.
  1. Mark 85

    The Ransom?

    Bitcoins? And if you don't have any, then what? Basically f**cked, I suppose. Then again, opening a dodgy document/email might be considered foreplay to getting f**cked via malware.

    1. moylan

      Re: The Ransom?

      it would explain the rise in the value of bitcoins

    2. Anonymous Coward
      Anonymous Coward

      Ransom to be paid in BitCoins...

      Savvy crims, get paid, and boost the value of your investment!... Still, lots of unanswered questions...

      #1. What if a user spots a dodgy serial number looking exe in talk mangler, can they kill it?

      #2. The BBC site said many users were paying and not receiving the key?....

      #3. I want to know how drive-by attacks are infecting machines too. But all the news articles harp on about are dodgy attachments. However, originally drive-by attacks were also reported. So what was the attack vector: Java, Flash, other 3rd party plug-in, JavaScript etc etc?

    3. Anonymous Coward
      Anonymous Coward

      Re: The Ransom?

      If you don't have bitcoins, they expect that you'll buy some. Which you can do on any one of many exchanges. These criminals are smart enough to make sure they're hard to trace (Bitcoins are anonymous), but relatively easy to collect from their victims (you can legally and easily buy bitcoins online, you don't have to mine them yourself).

  2. Anonymous Coward
    Anonymous Coward

    Fucked up shit

    Got one of those I think. Was too suspicious to click it. Got deleted instead.

  3. Cardinal

    No shit Sherlock!

    "the NCA believes the operation is the work of a tech-savvy crime ring"

    How on earth do you do it Holmes?

  4. Don Jefe

    I guess this is good for getting new users into Bitcoin... But honestly it seems to me like the people who really want to see Bitcoin succeed would want to see an end to this sort of thing. It's just another reason policy makers can cite as proof Bitcoin is used 'primarily for criminal purposes'. If some people don't get their act together it's going to be hard to refute that claim.

    1. Anonymous Coward
      Anonymous Coward

      " another reason policy makers can cite as proof Bitcoin is used 'primarily for criminal purposes'."

      And who might be motivated to say that, I wonder?

      Follow the money.

      1. M Gale

        Follow the money.

        Isn't that what Bitcoin is designed to prevent?

        1. Destroy All Monsters Silver badge

          Somewhat (it's cashlike anonymous but you can indeed follow the bitcoin in particular when the bitcoin is exchanged with the government-sponsored paper money)

          But additionally, infinite money printing by the bitcoin central bank is a no-no.

  5. keithpeter Silver badge


    As we are paying billions to have GCHQ collecting data about us, could they not simply find and nuke the perpetrators? Or even just block the phone home so the cryptographic key never arrives?

    1. Shaha Alam

      Re: GCHQ

      the shepherd can usually do sod all about the wolves so spends his time mainly watching the sheep.

      1. Anonymous Coward
        Anonymous Coward

        Re: GCHQ

        Only watching the sheep?

        1. Ted Treen

          Re: GCHQ

          I take it you're Welsh...

    2. Slap

      Re: GCHQ

      "As we are paying billions to have GCHQ collecting data about us, could they not simply..."

      ...provide users that are hit by this with a backup of their data that they've already snaffled through nefarious means.


  6. nematoad


    Seems to me that the solution is obvious.

    Don't use Windows.

    I too have been the recipient of a number of spurious bank e-mails. I didn't touch them, of course, but even if I had they would have just bounced off as I use Linux.

    No, I'm not smug, just happy I got off the MS train of death years ago,

    1. Anonymous Coward
      Anonymous Coward

      Re: Nasty.

      You'd think Microsoft would go after these guys if plod won't/can't do it.

      How hard is it to offer the Mafia $1M through the back door to "rub out" three Ukrainian student geeks?

      Windows is never going to be "Loved" with this sh*t happening.

      1. SDoradus

        Re: Nasty.

        The geeks have already been rubbed out and the FSB has taken over.

    2. Adam 1

      Re: Nasty.

      Why is this a Windows only thing? I mean this specific malware was compiled for Windows but the attack vector is phishing and irrespective of the OS the user would have permission to write to those files.

      Sometimes smug is justified. Other times it is misplaced.

      1. Brad Ackerman

        Re: Nasty.

        Other than because the attackers didn't think that they would make enough BTC to justify a Linux port? Probably nothing. But I do reserve the right to snark about businesses that don't have offline backups.

      2. Anonymous Coward
        Anonymous Coward

        Re: Nasty.

        "Why is this a Windows only thing? I mean this specific malware was compiled for Windows but the attack vector is phishing and irrespective of the OS the user would have permission to write to those files."

        Because, like Windows, Linux file systems have an "execute" permission. The difference being that when Linux saves a file, the execute permission is disabled unless you manually enable it, preventing the malware from running by double-clicking the attachment.

        This makes running malware a lot more difficult, since you first need to know to change the permissions to execute the file and in doing so, probably understand that it's not in fact a weirdly named PDF but an executable pretending to be.

        Assuming you have given it execute permission, it still only executes in your user space, unless you're also stupid enough to enter your password and run it as root (assuming IT gave you the password). Since these businesses have been setup professionally with backups, nuking your user space isn't such a big issue as it can be restored and the OS remains in tact.

        This is why malware is more prevailant on Windows. Linux can still be infected, you just have to get the user to jump through a lot more hoops and they're more likely to trip on them and get suspicious.

      3. JLV

        Re: Nasty.

        This write-up doesn't say it, but others do:

        The malware "disguises" itself by files like "foobar.pdf.exe" and giving itself the PDF filetype icon.

        Windows, being Windows, and trying not to overwhelm our dear little heads with trivial information, comes with "hide extensions for known filetypes" checked on (one of the first things I undo on a new install).

        So to Joe Average, they are clicking on a PDF, not an EXE.

        Keep in mind, over the last 5 or 6 years, MS's "security" has been crying wolf ALL the time wrt to files. With regards to anything, really.

        For example, I can't even open my own Word files in an email at work without being nagged to death by Windows. Heck, I can't even _edit_ my own .cmd files in Notepad without a warning. So many users will dismiss whatever warning it does throw.

        So, yeah, maybe if Linux desktops had 80% penetration then someone might have cobbled more attack vector together and malware wouldn't "Windows only". And, as a Mac user, I figure we are overdue for a real nasty - Apple's security record is patchy, but BSD saves their bacon most days.

        But this particular flavor of fubar has Redmond's signature all over it. Not least, the lack of execute permissions on Windows files and the delegation of that responsibility to the user.

    3. BobChip

      Re: Nasty.

      Likewise. I went Linux about six years ago, and although I obviously benefit from the added protection it gives me, that is only one of the reasons I had for making the switch. I'm almost tempted to hope that Linux remains a minority interest on the desktop, just so that it is not worthwhile for the bad guys to attack it - even though that would be harder to do in the first place.

      More to the point, the cybercrime issue is now so serious that only governments, co-operating on a large scale internationally, can begin to combat it. But, as has been observed elsewhere in other comments here, they seem to be much more interested in watching the sheep than catching the wolves.

      1. JCitizen

        Re: Nasty.

        It is a different world now. The average dude or dudette, using Android on their mobile device will not suspect such at attack. It is true they will not run into a CryptoLocker type threat(yet), but for Linux newbies; they will fall for any social engineering trick in the book. So no matter what OS you use, if you don't have a clue, you will get pwned. At least the enlighten few here on the REG will never fall for such a scam; but we must be sympathetic for the bozos who do.

    4. Fatman

      Re: Nasty.

      The Trojan infects systems running Windows 8, Windows 7, Vista, and XP.

      That part is so telling.

      Poor, hapless WindblowZE (l)users, if they were not chained to the deck of the MS Titanic.

      1. Valeyard

        Re: Nasty.

        windblowze (l)users?

        Ah that reminds me of when i typed "micro$oft" when i was a punk-wannabe little 15 year old.

      2. Havin_it

        @Fatman Re: Nasty.

        Please, just don't. It probably sounded good in your head, but it's not helping.

    5. nematoad

      Re: Nasty.

      I notice with some amusement that my original post "Nasty" is getting mixed reviews. 26 up 26 down at the time of writing.

      Let me explain why I said what I said about not using Windows.

      It is NOT a personal attack on those using Windows, use what you like. I did however follow Microsoft's advice in deprecating unsafe software. MS itself has advised users not to use SHA-1 as there are serious concerns as to the lifespan of this algorithm see:

      So, if it's good enough for MS to say don't use something that is potentially unsafe, then it should follow that if the OS itself poses extreme risks to a user's data then it too should be avoided. Not an easy choice to make but if you are responsible for the safety of say, a companies data, then you really should consider eliminating anything that poses a threat to that data.

      As I said this is not a personal attack on anyone's choice of OS, just a suggestion to be as safe as you can be. The trouble is that the readers of El Reg probably don't need that spelled out for them, it's the general public who need to be informed of the threat. Though given the take up in Android and iOS that may mitigate some of the problem.

      1. Ben Norris

        Re: Nasty.

        The uptake of android and ios arn't going to mitigate anything. Windows is not the subject of these attacks because it is less secure but because it is more popular. As alternatives become widely used we will and are already seeing more and more attacks against them too. The common factor is the User, not the OS.

        1. nematoad

          Re: Nasty.

          "The common factor is the User, not the OS."

          And if the OS is inherently more secure then what does that do for the general risk to a person's data?

          Reduces it, I think.

          The uptake of Android and iOS will mitigate the threat from using unsafe OSs if it means that such an insecure OS is replaced by a more secure one.

  7. JassMan

    Simple answer

    Since it doesn't atack .EXE files, just change the extension of all your important files. Any decent OS can work out what app to launch from the file contents. Oh wait... Did someone say it atacks MS based OSes.

    Just tested it on a .DOC, .JPG and .TXT on my PC and seems to work well. I can even get rid of the extension completely and it still works. Does seem to confuse the thumbnails though - OOPS!

    1. Mark .

      Re: Simple answer

      If windows didn't use extensions for file types, presumably the Trojan would then also just figure out the file types too using the same method, anyway.

      1. This Side Up

        Re: Simple answer

        If Windows didn't use extensions for file types then it would presumably use proper file types which are independent of filenames. I'm fed up with getting attachments typed as binary data (Application/octet-stream) because some stupid Windows or webmail client hasn't bothered to set the Content-type properly.

        One problem is that if Windows users hide frequently used extensions, which is/was the default, then the attackers can send filenames ending in .doc.exe which look like .doc files if you've overlooked the fact that you shouldn't be seeing .doc either.

        The ransomeware is usually a .exe file inside a .zip file. I've received loads of them not just pretending to be from financial institutions but also from couriers.

  8. Martin 47

    NSA/GCHQ worried they are going to be underfunded next year and decided to take matters into their own hands perhaps?

    1. tony2heads
      Big Brother

      Try the Dilbert solution for backups

      after all the NSA & GCHQ must have all this stuff anyway

  9. Arachnoid

    If you do need Bitcoins buy em early in the morning the effing price on those things moves like $40 or more over the day.

    1. Anonymous Coward
      Anonymous Coward

      "If you do need Bitcoins buy em early in the morning"

      Any particular timezone?

  10. bod43

    I don't want an email client that can run code silently. I don't want email that contains code. It is all nuts.

    1. Destroy All Monsters Silver badge

      If you want filtering Software, you know where to get it.

  11. Dan 55 Silver badge

    £534 ($860)

    Now those are good, honest thieves. How many times have we had the £1 = $1 exchange rate foisted upon us by the likes of Apple for the same net return?

  12. FrankAlphaXII

    Pretty easy to mitigate this one, as is the case with most Windows malware that isn't custom tailored by a State Actor anymore. Disallow email attachments as you should have done 10 years ago (there's nothing that you can't use dropbox or the like for that absolutely has to be sent through email), don't download dodgy executables and don't pirate programs. If you do, use some common sense and scan the shit out of them before installing. Disable autorun (I can't believe that one still has to be said), and run the cryptoprevent tool from foolishit (or alternatively, manually add the registry keys that the tool adds if you don't trust the tool). Spending 15 minutes mitigating across your Windows clients is a hell of a lot cheaper than buying two bitcoins.

    Of course, don't let any of this stop some of you from your juvenile pissing and moaning about how Windows sucks, though no one in the real world cares. Really, if some FOSS people spent half as much time actually helping the projects they care about and attempting to fix fairly major and/or confusing problems as they do complaining about things they can't change in regard to the proprietary vendors, maybe there would be some solutions to the glaring problems preventing the >1% desktop adoption rate from increasing, but its easier and more fun to blame someone else I guess. It amazes me that the insecurity and persecution complex is still ongoing among far too many members of the community when it has been high time to grow up for quite awhile now.

    IMO, You need to be able to use, secure, and support everything on the market including but not limited to Windows, every fragmented bit of Linux distribution, Android, iOS, *BSD, AIX, HP-UX, and OS X and have a working knowledge of experimental edge cases like Haiku (among others) if you consider yourself a professional, otherwise find a different field to work in. IT is not a monoculture, it never has been and never will be.

    1. Ned (the original)


      Please don't confuse between the bitchtards and the Foss community.

      1. Don Jefe

        Re: @frankalphaxii

        I realize that email attachments are the source much of the undesirable code out there. But email attachments are also the source of a lot of desirable business that's out there as well. My business would grind to a halt in a quick fast hurry if we didn't allow attachments. What you're suggesting is like disallowing cars on the highway because cars are a major source of accidents.

        A well managed system doesn't disallow common operations, it mitigates the risks associated with those operations. Anybody can just turn things off. It takes someone who actually knows what they're doing to work within the requirements of the business.

        1. cracked

          Re: @frankalphaxii

          Yes and no, Don.

          Yes, in the real world, you can't expect an averageSME not to use risky procedures/technology to keep up with the competitors. And neither can you expect them to understand the risks and/or - in the majority of cases, in my experience - pay for effective mitigation.

          But no, because the system - in this case, the bit of the system called email attachments -is an enormous risk that, really, your average SME should not be taking. And this will only get worse, as time goes on - Crime is a lucrative business and the internet is a great place to carry on in that enterprise.

          In a system in which anonimity is on by default - and extremely difficult to turn off - no one should be receiving anything from any one. At least no one without the - or finances to acquire the - knowledge necessary to make sure what is being received is fit to be viewed.

          As history shows - and will, no doubt, go on showing - breaking something is much, much easier than building something that cannot be broken. Dig up that bloke Hadrian and ask him. And never mind Ukrainian students, all he had to deal with were a few Scottish lads with a tin or two of blue paint.

          Me? I remember when CDs were indestructable ...

          EDIT: Forum Overlords. Merit Badge Award: "Your post contains some invalid HTML". It probably still contains a few other invalid things, but even the limited help is much appreciated by this idiot :-)

          1. Don Jefe

            Re: @frankalphaxii

            I don't know... If a SME isn't going to allow attachments you're getting really close to the dreaded 'does the average person/small business need a computer at all' line.

            Unless you've got a really weird business that doesn't need supplies or has only one or two suppliers that sell fixed price commodities then operating without email is going to cause all sorts of expensive problems. Both parties are going to have to develop and enforce IT policies that for the vast majority of SME's and upstream SME suppliers are beyond their means. The vast majority (over 65%) of SME's in the US have annual revenues of less than $150k. Less than 25% of B2B vendors (suppliers) have revenues over $1m. Asking either of those groups to step up their IT is nearly a wasted effort: They simply don't have the means.

            You're going to end up with one of two solutions. Either an IT guy who is driven insane by exemptions or staff that just work right around the blocks and create new attack vectors in the process. I would argue that larger organizations could develop functional 'no attachment' policies and processes far easier than a SME.

            Even if you did manage to browbeat people into not using attachments I've yet to meet a successful SME owner or executive that's going to deal with those restrictions. They're the most likely to fall for some stupid spear-phishing attempt anyway. All you've done by blocking attachments is make things more complicated and risky. With an attachment you've got a known risk and lots of ways to defend that opening.

            1. cracked

              Re: @frankalphaxii

              I agree, Don - In the real world it's basically the same as the high % of drivers who beetle-about uninsured. Probably won't happen to them; deal with the consequences, at the time, if it does.

              The BBC was reporting this cryptovirus story, with the headline/sub "the cops" say SMEs need to be on the look out,

              But really, this situation (and many, many others like it) is the equivalent of plod announcing that a serial killer is on the loose, and that people should stay inside and lock their doors ... when the thin blue line knows very well that almost all of the potential victims have no idea how to use a key (or even have a key ... or a door).

              I'm in full agreement that, in the real world, stuff will go on porning a % of business and individuals so long IT pays well (by remaining complex).

              But when that same system is delivering routing instructions to Chuckiton Couriers' fleet of 3 driverless vans? ... And what about those medical/carer robot gizmos? Let's hope those old folks remember to flash their robot-friend's firmware, when a backdoor is (inevitably) found. When it's time for her colostomy bag to be changed, gotta hope granny isn't following the practices of today SMEs: hoping that 2007 pirate copy of ZoneAlarm - with a sub that expired in 2010 - will get her by ... And that granny can afford the upgrade, when support for her XP version expires next year.

              The original point - of this bit of the discussion - was that email attachments were too unsafe to be allowed. I would have preferred the point be that, unless "you know what you are doing" (or paying someone else who knows) then email attachments are not safe to accept. But the point probably still stands.

              The wider issue is - if something so "simple and everyday" cannot be made safe, then - piling more and more critical things on that same system, to be used by the same users or same skillsets, is asking for a lot of bother.

              Once her robot has granny by the throat, it will cost a lot more than $800 to decrpyt the ReleaseTheOldBatAtOnce routines.

          2. Adrian 4

            Re: @frankalphaxii

            Of course.

            But why do you need to EXECUTE attachments ?

    2. Xxeno

      Fine words except the last bit which is impossible to be imho.

  13. Herby

    And why aren't they going after this group??

    Oh, spam isn't that bad, and virus's can't hurt you. Wait until it infects something in Parliament/Congress and lots of congressional staffers have to pony up. Then we might see something about blasting this type of thing.

    Where is the FBI/Scotland Yard when you need them??

    1. silent_count

      Re: And why aren't they going after this group??

      "Where is the FBI/Scotland Yard when you need them??"

      And there it is. You know their response will be a more diplomatic version of, "Oh so now you do want us to keep tabs on the whole internet so that we can swiftly apprehend criminals. We'd like to do a better job of protecting the public but these pesky privacy laws.. "

      1. MrMur

        Re: And why aren't they going after this group??

        The entire UK police force is too tied up with investigations of investigations of investigations about plebgate.

        1. Yet Another Commentard

          Re: And why aren't they going after this group??


          I remain bitterly disappointed that the much overused and lazy -gate suffix wasn't used in the form gategate as it did, in fact, concern a gate. I guess as we now have a scandal about the scandal we are now at gategategate.

          1. Ben Norris

            Re: And why aren't they going after this group??

            Will that gate now be officially renamed the plebgate?

        2. This Side Up

          Re: And why aren't they going after this group??

          "The entire UK police force is too tied up with investigations of investigations of investigations about plebgate."

          and the dubious activities of various media personalities forty years ago.

  14. Ned (the original)

    mean to be kind

    Surely some security expert has already found the IP of the master server and blocked or advised not to contact it?

    I also think that for once the perps have at least done a clever attack. It might teach people one day to not stupidly believe the security they've just got their credit card out for and have some initiative themselves.

  15. thesykes

    OK, can someone explain how the bitcoins get transferred from one account to the other, and there be no trace whatsoever of where they've gone? Surely the coins have to go somewhere? And they are only of any use to a criminal if they can be converted into real cash? That means that a bitcoin account must have a real world bank account attached to it? And the worlds police agencies cannot trace that?

    1. Old Handle

      Bitcoin accounts (known as addresses) only have numbers. No name or other identifying information is attached. On the other hand a full record of every transaction is publicly available and they will as you say probably want to sell them for standard currency sooner or later. They will no doubt try a few tricks to confuse the trail, but it's still worth investigating.

  16. Yet Another Commentard

    Does anyone know...

    If the perps actually do bother to decrypt, or just take the bitcoins and run? I mean, why would they need to bother once they have the cash? Perhaps they are rather odd semi-honest criminals.

    1. Trigun

      Re: Does anyone know...

      The reason they decrypt is that it encourages victims to pay. If word-of-mouth was that they just rip you off (more than they have) then no one would pay up. If people know they can get their vital but foolishly un-backed up data back then will pay.

      One of the companies I help sysadmin got this. Fortunately we ensured that they had 2 independent backups + shadow copies enabled so we could get them back to roughly where they were that morning.

      1. lorisarvendu

        Re: Does anyone know...

        Yes they do attempt to decrypt every time. The occasional reports of things going wrong are most likely due to network shares becoming unavailable, or the malware being unable to re-establish connection to the C&C server.

        The frightening scenario is of more than 1 user in the same organisation being hit at the same time. If they both have the same network share mapped, each copy of the malware will encrypt files on that share - resulting in files encrypted twice...and possibly not in the same order. If one PC is faster than the other (or has faster network access) it could start decrypting a drive behind the other one, then overtake it.

        Both ransoms would have to be paid, and the decryption process run on both machines concurrently, so that when one PC threw up a "cannot decrypt this file" error, it would have to wait for the other PC to decrypt the file before it could undo its encryption.

        Our organisation has several "departmental" shares that hundreds of users have mapped at any one time. Luckily we do comprehensibly backup, but only every 24 hours. I dread an infection here.

  17. dominicr

    CryptoPrevent / ShadowExplorer

    You can protect a computer with the free CryptoPrevent utility. Once it is infected though you need an uninfected backup. If you haven't made a conscious backup, you might be able to recover files using ShadowExplorer (also free) - kudos Microsoft for their clever volume shadowing auto-backup feature.

    Or of course you can try paying the crooks. I'm surprised to see that the BBC report, presumably taking its info from the police, suggests that people who pay *don't* get their decryption key and just lose their money as well as their documents. From what I've read, paying the ransom does work, it would be pretty stupid of the crooks it if didn't. I suspect some deliberate misinformation from the authorities.

  18. codeusirae

    Lurking Ransomware ..

    "Lurking within the attachments is a Trojan called Cryptolocker, which when executed, silently installs itself"

    Does this malware prompt for the admin password before installing or can it install as standard user?

    1. Trigun

      Re: Lurking Ransomware ..

      It doesn't require admin credentials - a standard user can run it as long they are able to run an EXE.

    2. Richard 12 Silver badge

      Re: Lurking Ransomware ..

      Admin privileges aren't needed for software to make itself run on Windows 7 or 8.

      Admin is only needed if it installs into Program Files or another "protected" folder, or adds keys to HKLM.

      If it just installs into My Documents and adds auto run keys to HKCU, admin isn't needed and it can just go ahead and do anything to anything the user could.

      This isn't a privilege escalation, it's just doing anything a normal user could do - rearrange their Start menu/start screen, and mess with the user's files.

      If only somebody could think of something like an Execute flag that only an admin could set?

      1. Trigun

        Re: Lurking Ransomware ..

        You mean NTFS advanced setting "Traverse folder/execute file"? ;)

        1. Anonymous Coward
          Anonymous Coward

          Re: Lurking Ransomware ..

          "You mean NTFS advanced setting "Traverse folder/execute file"? ;)"

          I think he means done properly, i.e. not turned on by default/inheriting the permissions of the parent. If the user had to extract/save the file, right-click, properties, security, tick "execute" and then double-click the .exe, infection rates would drop massively.

  19. Andy The Hat Silver badge

    "You can protect a computer with the free CryptoPrevent utility."

    Which is all well and good if you knew of a safe, malware free, 100% trustworthy, unhijacked source for it ... and that assumes that the software itself is not a trojan that only installs crypto.

    I suppose I'd better take the risk and download a potentially insecure program from an totally unknown source on the internet to lock up a piece of malware which I don't yet have so don't know if aforementioned package will be sod all good anyway.

    I'm going to start chanting, reading charred bones, drinking urine and spreading duck fat on my keyboard to stop infection next ... I just love computers

    1. JCitizen

      If you can't trust who can you trust?

      Everything you'd ever want to know about it here!


    There is a simple solution....

    ... (but I suppose it won't work for businesses) get a Gmail account. Attachments are scanned for you.

    1. Ted Treen

      Re: There is a simple solution....

      Yes, but scanned for what?

      I've lost count of the number of friends/acquaintances who have installed AV on my advice, then complained two years later that their PC has nasties on it.

      No, of course they haven't kept their virus defs up to date - too much like hard work - despite the fact that (I thought) I'd drummed it into them that it was a necessity.

      Who knows how up-to-date GMail's scanning is? Sure, it's helpful:- but don't become complacent and totally rely on it.

    2. Anonymous Coward
      Anonymous Coward

      Re: There is a simple solution....

      " get a Gmail account. Attachments are scanned for you."

      I see quite a few emails now which have a footnote of "This email has been scanned" (doesn't say who by, what for, anything useful like that).

      As I see them in my works email, I suspect it might be the local Microsoft-centric IT department.

      Either way, I have no idea what that footnote means.

      Anyone else seeing similar? If it IS the IT department they'll be using standard MS tools and maybe a bit of Sophos or similar?

      1. Adrian 4

        Re: There is a simple solution....

        Or more likely put there by the sender so you think it's safe.

        If you don't know why it's there, it's worthless. And maybe even if you do, unless you have a way of verifying that the right people put it there.

  21. MJI Silver badge

    Job for GCHQ and co

    Find them, then call Hereford. Gives GCHQ something to do. And bit of training for the SAS.

  22. norman


    Step one, invest in BitCoins.

    Step two, release ransomware that only accepts BitCoins.

    Step three, Make profit, while making investment go through the roof.

    1. Scroticus Canis
      Black Helicopters

      Re: Hmmmm

      Had a similar thought myself Norman, but mine was more along the lines of BitCoin doing it themselves to increase the value of the "product" as people scramble to buy them to save their data.

      Am I being too paranoid? On second thoughts probably not in this day and age.

      1. Destroy All Monsters Silver badge

        Re: Hmmmm

        I don't think "Bitcoin" is a nefarious organization lurking in a lair underneath [preferred volcano]. "They" don't exist, Mulder!!

  23. Jeffrost

    As this ransomware appears to be a global issue, does it mean that GCHQ, NSA etc are a. Unaware b. Unconcerned about business profitability c. Not really monitoring the Internet after all . This has been live for at least 8 weeks guys.

  24. ecofeco Silver badge

    Let's do the math

    Assume 10 million is the real number.

    Now let's say .001 are actually infected. That's 10,000 actual infected PCs. Of that we will have to high/low on who actually pays.

    10,000 pay. Approx £5,340,000 in one month.

    5,000 pay and the rest wipe and start over. £2,670,000 in one month.

    Who in their right mind is going to pass up that kind of money if they can get away with it?

    1. Matt Bryant Silver badge

      Re: ecofeco Re: Let's do the math

      ".....Who in their right mind is going to pass up that kind of money if they can get away with it?" The prisons are full of idiots who thought exactly along those lines.

      1. Destroy All Monsters Silver badge
        Big Brother

        Re: ecofeco Let's do the math

        It's not like lots of persons who thought exactly along those lines are now holding very important positions in the political-economic nomenclatura.

  25. Anonymous Coward
    Anonymous Coward

    The gloves are off

    I say send in the SAS, capture these assholes and give them the full rubber hose treatment.

    And human rights be damned on this one, anyone who has been infected with this evil malware would agree with me on this.

    1. Destroy All Monsters Silver badge

      Re: The gloves are off

      The SAS cannot just drop into Russia. They have at least to tell the FSB first, otherwise the rubberhosing will be applied on the incorrect recipient.

      Here is a little story about "unnanounced operations" by the CIA in Turkey, for instance. It's a fun read:

      Spy vs. Spy: Iran, Turkey, and Israel Edition

  26. therealvicz

    You can watch the ransom money going home here

  27. Alan Brown Silver badge

    Not just local disks

    $orkplace had a visit from this ransomware on Thursday.

    It encrypted every single file on network fileservers it was able to get hold of.

    Needless to say there are some spectacuarly pissed off folk at the moment.

    1. Dave Lawton

      Re: Not just local disks

      Have you found the culprit, who clicked on the attachment, yet ?

      Or is there now a new way of auto-running attachments, by simply pre-viewing the email ?

      1. lorisarvendu

        Re: Not just local disks

        Theoretically the encryption process will change the owner of the file to the person with the infection, so the culprit could be tracked easily.

      2. Alan Brown Silver badge

        Re: Not just local disks

        Didn't happen in our department, so no. I believe the idiot has been identified, but she's only one among many.

        (PAs are the worst for disobeying rules and nobbling AV software so they can open attachements on the basis "It might be important" - even after getting repeated warnings about it. They're almost iompossible to sack too)

  28. This post has been deleted by its author

  29. Adam Reid

    Easily avoided

    This malware (in fact pretty much all malware) is easily avoided in a corporate environment:

    1) Block incoming attachments that contain executable files.

    2) Use an executable white-listing software so that users cannot run any program unless it is pre-approved. Applocker is built into Windows and will do this job with ease.

    1. lorisarvendu

      Re: Easily avoided

      The problem is that many businesses receive hundreds of unsolicited attachments every day, quite often in PDF form. Almost all of the mail recieved at UK University Admissions Offices are of this type. If someone gets an email with an attachment that has "PDF" on the end, chances are they'll open it, especially if it has a recognisable PDF icon.

      How do you prevent users doing this? Simply telling them not to open unsolicited emails is not the answer, since that will stop them doing 90% of their business. You can't rely on email server AV scanners, since the fact that corporate users are opening these mails proves that AV companies are having a hard time keeping up with the malware's changes in code.

      The answer is to educate users in the concept of hidden file extensions, and the fact that a PDF attachment will not say "PDF" on the end, and if it does, then it's likely there's a hidden "EXE". Unfortunately this is a concept that the majority of users (who have been brought up on the Windows graphical "point and click" environment of the last 30 years) find difficult to grasp.

      Oh and unhiding file extensions isn't the answer. We had a bunch of machines a few years ago with "hide file extensions" turned off by default. The result was that users would happily give their Office documents a name, save them, and then be unable to find them again. The reason? They were overwriting the ".DOC" or "XLS" on the end, so Word and Excel (which use extension filters) didn't show their files anymore.

      The best strategy to beat this is to mitigate the effects by educating users into the wisdom of regular offline backups. The malware's going to keep spreading because users gonna keep clicking, and so long as people are prepared to pay (because they have no alternative), Cryptolocker is a success. There will be more like it.

      Sure, regular backups aren't going to help recover that important file that you updated only 30 minutes ago, but if it's only the one file there's less incentive for you to fork out £4-600 to decrypt it. If you didn't backup several gigabytes of network files that constitute the whole of your business, then yes you'll pay silly money to get it all back, and that's the area where the malware thrives.

      1. Adrian 4

        Re: Easily avoided

        Can you think of a plausible use for a windows feature that allows one type of file to masquerade as another for the purposes of being executed by mistake ?

        I can't. Fix the OS properly, Microsoft.

        1. lorisarvendu

          Re: Easily avoided

          "Can you think of a plausible use for a windows feature that allows one type of file to masquerade as another for the purposes of being executed by mistake ?"

          Well yes I can. To allow apps to be opened by double-clicking files with a particular file extension - arguably one of the most important innovations in GUI computing for 30 years. So important a feature in fact that every other graphical OS has copied it. I'm running Linux with an LXDE desktop and if I change a file extension to DOC, the icon changes to a big fat "W", indicating that I've got Libre Office installed. I am reliably informed that OSX also does this.

          Ok so it goes wrong sometimes (note the default association of NFO files), but nobody could have anticipated it would be hijacked in the 21st Century to enable propagation of malware.

          "Fix the OS properly, Microsoft"

          Apart from the fact that you actually mean "Fix the OS properly Apple....Gnome...LXDE...KDE...Microsoft..." , what would you suggest? How would you redesign the graphical interface so that a user can easily identify files that open with a particular application, and then open that app by double-clicking the file...without enabling that feature to be hijacked by malware?

      2. Ants V

        Re: Easily avoided

        Exactly. I think most email servers are set up to reject emails containing executables from the outside - the only ones I have seen that users receive are executables inside a zip file.

        I advised my customers to look at the file extension (which is displayed by default in Outlook) and if it says .exe or .zip at the end, don't click. If it looks legit, forward me it for advice. I even sent them screenshots of what a bad 'un would look like.

        Users do stupid things, often believe they're too busy or don't understand or its our (IT's) problem to follow advice and good practice. But when the best practice doesn't take much effort to follow and its easy to communicate why the threat is such a big deal (in this case it translates to hard currency), the results are good.

  30. Fihart

    What suspect mails have you received ???

    I've received from HM Revenue & Customs (who would not send out random emails)

    And Fedex (I am not expecting any deliveries nor have ever used Fedex)

    Might it be useful if other readers listed any suspect emails they have received and these were collated into an editorial piece ?

  31. Anonymous Coward
    Anonymous Coward

    Bitcoin is the problem

    Bitcoin is the currency for crime, easier than cash or any physical high-value asset as no personal contact is involved. There have been times and places where a state has made the holding of Gold illegal - in 1933 USA "criminalized the possession of monetary gold by any individual, partnership, association or corporation."

    Time for similar legislation in respect of bitcoin.

    While we're at it the fraudsters other friend is Western Union whose security checks on recipients of cash transfers appear to be sufficiently lax that the fraudster gets away with it. Make WU responsible for a refund if fraud is proven.

    1. d3rrial

      Re: Bitcoin is the problem

      Anon for obvious reasons. You, sir, are mentally challenged. Cue downvotes.

  32. Crisp

    What is the UK National Crime Agency doing about this besides sending out warnings?

    Because, let's face it: my little sister could do that.

    1. lorisarvendu

      Re: What is the UK National Crime Agency doing about this besides sending out warnings?

      So what you want is for the NCA to publish their ongoing investigations on public fora, where everyone (including the people they are trying to catch) can read them?

    2. swampdog

      Re: What is the UK National Crime Agency doing about this besides sending out warnings?

      "What is the UK National Crime Agency doing about this besides sending out warnings?

      Because, let's face it: my little sister could do that."

      But could she manage to spend £500 million a year doing it? That's more than a million flagons of scrumpy a year! ;-)

  33. Anonymous Coward
    Anonymous Coward

    Does any security software work?

    I've got commercial security software (NIS) which seems to be getting very frequent updates - will this protect against Cryptolocker? If not is any of the other packages any better (NIS is due for renewal shortly).

  34. d3rrial

    Ingenius software

    I personally think that CryptoLocker is some ingenius piece of Software, and I am surprised nothing like this has emerged sooner, and I am disappointed, that I didn't have the idea to make it happen myself. Kudos to the developers, don't get too greedy.

    This might even have a positive effect on people who just click anything thats mailed to them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ingenius software

      Kudos to fraudsters? Really?

      Troll alert

      1. d3rrial

        Re: Ingenius software

        Why not? Its a sound business model and its well executed. Of course its unfortunate for people affected by it, but honestly, if you click on anything and don't keep backups, don't be surprised if one day you don't have any data left.

  35. All names Taken

    Is it NSA trying to improve homeland finances?

  36. All names Taken
    Paris Hilton

    Or maybe even ... ?

    When will return on investment calculations favour ditching computerised working methods for paper based working methods as the cost of computerised methods is so open to extortion, hacking, widespread leaking?

    (face it, wikileaks would have a tougher time if all that stuff were not in digital form stored on digital media)

    Return of the Luddites?

  37. fLaMePrOoF

    Anyone stupid enough to open an email attachment claiming to be from a bank these days frankly deserves to get *ucked.

    Perhaps these idiot's systems are off-line we won't have to put up with quite so many 'Like and Share to win an iPad' Facebook posts.

  38. Anonymous Coward
    Anonymous Coward

    You know its bad when

    The Police have to pay to get some scumbag's Cryptopwned drive unlocked because it has evidence on it.

    The problem is that if they for example seize someone's PC, etc and they say "Sorry, got a virus" its damn near impossible to prove that it wasn't infected deliberately.

This topic is closed for new posts.

Other stories you might like