The campaign is ongoing, NCA said, and employs the ruse of mails appearing to be from banks and other financial institutions.
The emails “appear to be targeting small and medium businesses in particular,” NCA said in an advisory.
The emails carry an attachment that purports to be correspondence linked to the email message (for example, a voicemail, fax, details of a suspicious transaction or invoices for payment). This file is in fact CryptoLocker, which is a next-gen ransomware that uses a public key to encrypt a variety of file types such as images, documents and spreadsheets. The malware searches for files to encrypt on all drives and in all folders it can access from the compromised computer, including workgroup files shared by colleagues and resources on company servers.
The malware then offers to trade money for the private key to unlock the encrypted files. A pay page pops up, giving victims a limited time to buy back the private key for the data. Then a warning comes that the server will destroy the key after a time specified, meaning that the files will never be able to be recovered.
In the UK, the perpetrators are demanding two Bitcoins in ransom (about £536 or $300) for the decryption key.
If left unpaid, there is no way to ever recover the files. But of course, there is no guarantee that the perpetrators would honor the payments in any event, the NCA noted.
Fortunately, an NCCU investigation is ongoing to identify the source of the email addresses used. "The NCA are actively pursuing organized crime groups committing this type of crime,” said Lee Miles, deputy head of the NCCU. “We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public."
Prevention is of course the best course of action. The public should be aware not to click on any such attachment; anti-virus software should be updated, as should operating systems; and user-created files should be backed up routinely and preserved off the network.
Where a computer becomes infected it should be disconnected from the network, and professional assistance should be sought to clean the computer.