Note on "undelivered parcel" of the Polish post

At the end of March, reported about the first campaign, whose aim was to infection of a users encryption software files (CryptoLocker). Several days ago the same incident described Niebezpiecznik and the Foundation Secure Cyberspace. By contrast:

  1. Today reported a us Reader Stephen (thank you for the info) that was a victim of the same spam.
  2. And Norbert, who has access to your important files.

All of these recent campaigns, which use the image of the Polish post to one common background. Someone on their victims trying to earn considerable money low cost price.






"The courier has not provided the shipment to the notification number RR2188538397PL * to the address 11.07.2015 *, because no one in this time. Please see information on the ship and go to the post office to receive a package. "


-where can show different numbers and dates.






The link in the message redirects the victim to the page where it is invited to rewrite captcha code and retrieve information about your shipment. The archive is located the EXE file masquerading as PDF extension icon. When you run the "PDF" gets it from network Trojan horse, which in turn pulls and runs Crypl0L0cker'a. It is important to know that any devices connected to the USB ports, as well as network drives are scanned by Crypl0L0cker'a in order to search for "desired" file extensions, which will be encrypted strong key RSA algorithm 2048-bit. Recover files is "almost" impossible – but more on that below.






We adhere to before the ransomware, which encrypts files on the user's computer and requests made using ' Bitcoin ' ransom for their recovery. Especially these words to the victims, which were already dealing with "file extension" or restore data from a backup.


Uczulamy also, to use a decent antivirus software. A very interesting component of the competition to protect against Lockerami out Polish Arcabit software. The cube under the name SafeStore has been designed to protect against all pests MoneyPack family coding data, and so the Ransomware and Locker'y. It works as follows: when the virus scanner checks every "touched" the file, regardless of who (what) it opens the/writes and if the file extension is compatible with masks (doc, docx, docm, xls, xlsx, xlsm, ppt, pptx, pps, ppsx, pptm, ppsm, odt, ods, odp, rtf, pdf, abw, dbk, dps, et, gsc, wps, jpg, jpe, jpeg, png, bmp, tif, tiff, psp, psd, wpd, sxw, sxc, sxd, wks, wk1) is a copy of the file is made before modifying it and goes to the list in the protection of the SafeStorage (you can find it in the "Tools" ). Each new version of the file is also a puppet to SafeStorage, so in a sense, SafeStorage also acts as backup-chwilówki. Files in SafeStorage are held for 3 days, then are deleted, but the files again "affected" will be again included in the list of SafeStorage.

No matter what antivirus program worth proactively comply with some rules:

  1. Create a backup of your most important files, entire partition or system snapshots.
  2. Third, update apps you will be sure that accidentally visiting malicious websites you will not drive-by attack using the exploit.
  3. Make sure that protects you a decent antivirus program.
  4. Use caution when you are using the mail. Do not open suspicious attachments and hyperlinks. Pay attention to the address of the sender (hover your mouse on the sender to see its address, if the offender has not applied the more advanced spoofing'u).

If all of these points have failed and the files and so were encrypted, the method of their recovery is one and not completely effective. Use the tips in the "DecryptCryptoLocker service deszyfrująca files after CryptoLockerem infection".



And if you are a victim of other malware, you need to read this:

  1. Step by step How to recover encrypted files by Ransomware CoinVault.
  2. Cisco has published a decryption tool TeslaCrypt.


Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.