Computer users around the world are being targeted by a new iteration of Crypt0L0cker, one of the prevalent file-encrypting ransomware strains. The updated variant is easy to identify as it adds the random 6 lower alphabetic characters extension to one's encrypted files. It adds a new ransom note too: HOW_TO_RESTORE_FILES.txt/html
This fact doesn't make the newest ransomware build any less devastating, though.
The infection is proliferating by means of multiple concurrent spam campaigns. One vector engages spam emails. In this case, users discover a catchy new item in their inbox that pretends to be an invoice, receipt, bill, job offer, ISP complaint or some cancellation request. The purpose of these rogue emails is to persuade the recipient to open the attachment. Inside the enclosed ZIP file, there is a JS or HTA item that triggers the contamination chain when opened.
A recent shift in the bad guys' operation involves spam that circulates on social networking sites, predominantly Facebook and LinkedIn. This tactic is trickier, because it may not necessarily require that a user opens the malware-tainted image. The ransomware developers have apparently found a loophole in social networks' security, so the drive-by may go off without any action on the recipient's end. The bad files are mainly SVG images or JavaScript entities with double extensions that look like they are in a different, harmless format.
Along with enciphering data, the Crypt0L0cker file virus makes it impossible to recognize specific files as it replaces filenames with random hexadecimal characters. It drops ransom notes called -Instruction.html and -Instruction.bmp, which contain a victim's personal link to the decryption service. The ransomware demands 0.5 Bitcoin, or about 400 USD, for decryption. Unfortunately, there is no way to restore Crypt0L0cker-encrypted files at this point.