“Tens of millions” at risk from Filecoder due to “mass email spam event” targeting small businesses, British police agency warns

Tens of millions of computer users are at risk from Filecoder due to a “mass spamming event”,  detailed in an alert from Britain’s National Cyber Crime Unit.

The malware, identified by ESET as Win32/Filecoder, is transmitted via emails that appear to come from banks and financial institutions, the National Cyber Crime Unit warns.

“The emails may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular. This spamming event is assessed as a significant risk,” the NCU warned, as reported by The Register.

“The emails carry an attachment that appears to be correspondence linked to the email message (for example, a voicemail, fax, details of a suspicious transaction or invoices for payment),” the agency warns.

Filecoder works by encrypting the user’s files, displaying a countdown timer, and demanding a ransom of 2 bitcoins (approx $946), the NCU said. The British agency says that it “would never endorse the payment of ransom to criminals and there is no guarantee that they would honour the payments in any event.”

Lee Miles, Deputy Head of the NCCU says “The NCA are actively pursuing organised crime groups committing this type of crime. We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public.”

The Register describes the encryption Filecoder uses as “virtually unbreakable” in its report.

The British agency’s warning follows a message from the U.S. Computer Emergency Response Team (US-CERT) a warning of an “increasing number” of infections with Cryptolocker, as reported by We Live Security here.
ESET Malware Researcher Robert Lipovsky says, “We’ve noted a significant increase in Filecoder activity over the past few summer months,” in a detailed blog post where Lipovsky says, “We hope to answer the many questions we’re getting about this issue.

Lipovsky’s report on We Live Security showed countries that were being targeted with the malware – delivered via drive-by downloads and email attachments, among other common infection methods. At the time, Russia, Spain and Italy were the site of most infections.
US-CERT’s warning said that in the U.S., the malware, “appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices,” the agency said.  “ In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

“To decrypt files, you need the private key,” the Trojan warns users, “The single copy of the private key is on a secret server. The server will destroy the key after the time specified in this window. After that, nobody will be able to restore the files.”
PC Authority said that on 1 November, a variant of the Trojan allowed users to recover “past deadline” by paying an even bigger sum – 10 bitcoins, or $3,000.

The malware affects Windows users running Windows 7, Vista and XP.

The threat is not an empty one, Lipovsky says, “Unfortunately, in most cases, recovering the encrypted files without the encryption key is nearly impossible.”

With quick action, users can sometimes recover data – but the best defense is caution. A guide to how to defend against ransomware is here. The most important advice is to back up data, according to Lipovsky.

“If they have backups, than the malware is merely a nuisance,” says ESET researcher Robert Lipovsky. “So, the importance of doing regular backups should be strongly reiterated.