The Crypt0L0cker ransomware, otherwise known as Torrentlocker or Teerac, was a common ransomware infection that mostly targeted Australia and European countries in 2014. Towards the middle of 2015, though, this ransomware slowly started dying off to the point that it was hardly distributed anymore.

Fast forward to the beginning of February 2017 where we are now seeing Crypt0L0cker making a strong come back and targeting European countries once again.

Crypt0L0cker Campaigns Targeting European Countries

Over the past few days, I have been receiving a lot of requests for help in decrypting files encrypted by Crypt0L0cker. To see if there was a resurgence in activity, I checked the ID-Ransomware site and saw that towards the end of January Crypt0L0cker went from a small amount of submissions to the their site a day, to close to a 100. Then in February things started picking up even more with some days having over 400 submissions related to Crypt0L0cker.

A chart showing the change of submissions ID-Ransomware between January 1st and March 1st 2017 can be seen below.

ID-Ransomware Submission Chart
ID-Ransomware Submission Chart
Thanks to Daniel Gallagher for helping with the chart!

I then reached out to security researchers at Microsoft Malware Protection Center, who also confirmed that Crypt0L0cker, or Teerac as they call it, is indeed showing increased activity. Their telemetry shows that it was again focusing on European countries as shown by their provided telemetry map.

Europe Telemetry Map for Crypt0L0cker
Europe Telemetry Map for Crypt0L0cker
Source: Microsoft MMPC

Microsoft further told BleepingComputer that the current campaign appears to be heavily focusing on Italy as shown by the close up heat map below.

Telemetry Map Showing Italy as a Major Target
Telemetry Map Showing Italy as a Major Target
Source: Microsoft MMPC

Italian SPAM Campaign Utilizing Certified Electronic Email

Microsoft also informed me that an Italian ransomware blog called Ransomware.it had an interesting article about Crypt0L0cker's current campaign and how it was targeting Italy using Certified Electronic Email to deliver SPAM emails that pretend to be invoices. These emails will have a subject like Invio fattura n. 391091 and will contain an attached .JS file with a name like fattura_398672.js. When this JS file is executed, it will download and install Crypt0L0cker on the affected computer.

Italian Crypt0L0cker Ransom Note
Italian Crypt0L0cker Ransom Note

What is interesting about this SPAM campaign is that it is using Italy's Posta Elettronica Certificata, otherwise known as  PEC. According to Poste.it, PEC allows people to send email messages with a high level of security that has the same legal value as a registered letter and also has a receipt showing that it has been received.  These emails are signed with a digital signature to make them look more official.

An example SPAM email can be seen below.

SPAM Email
SPAM Email

You can see an example of the digital signatures used by the SPAM emails below. 

Digital Signature
Digital Signature

Without a doubt the use of Italy's PEC system will provide a sense of security to those who receive these emails and thus may cause them to feel more secure when opening the attachments. This is just another example showing how ransomware developers are adopting new techniques when distributing their malware. It also tell us that end users and companies must remain vigilant and practice safe computing habits when it comes to opening email attachments.