IT Pro

Fake speeding fines make Cryptolocker lock up Australian files

Another day, another trick to scam computer users.

This time, scammers are sending emails to unsuspecting Australians claiming to be from the NSW Office of State Revenue chasing an unpaid speeding fine.

The government has failed to properly explain its controversial data retention legislation.
The government has failed to properly explain its controversial data retention legislation. Photo: Simon Bosh

That's $254 for an offence supposedly committed on October 27.

The email calling on recipients to "act now" is a fake, of course, as is the official-looking site it links to.

A copy of the fake penalty notice.
A copy of the fake penalty notice.  Photo: FireEye

The only truth in the matter is that once on the fake site, users are prompted to download a zip file, which contains a PDF – supposedly the fine – and clicking on it triggers the installation of a variant of the Cryptolocker trojan known for encrypting user files and demanding a ransom to unlock them.

Researchers at security firm FireEye began receiving calls from companies in Australia on Thursday morning to check on the scam. The real NSW Office of State Revenue has since posted a notice on its website alerting people to it. 

Advertisement

"SDRO does not issue penalty notices or penalty reminder notices by email. We are aware of an email scam demanding payment of a fake penalty notice. If you receive such an email do not pay anything," the notice says. 

FireEye technical director Australia and New Zealand, Rich Costanzo, said the malware was similar to that used in previous scams involving fake Australia Post and Energy Australia emails, but unlike them also appeared to encrypt earlier versions of files in the hard drive.

It goes after "shared documents" on network servers.

Cryptolocker last hit a large number of Australian computers in September when an estimated 20,000 users were affected.

Mr Costanzo said although only an initial analysis of the malware had been done so far, it indicated the ramsomware dials back to Russia, the same source of previous variants. But he said it was not related to findings the company released this week on Russia-led cyber espionage.

"They have a very specific aim – this is about money," he said.

The scammers are demanding $A600 to unlock the files and appear to have specifically targeted Australians. 

Security expert Phil Kernick, of CQR, said this is because "we're easy. We're not a paranoid society – the immediate view is not that people are trying to steal from me."

However, Mr Kernick said Cryptolocker was a big deal, people should doubt such emails and there was little they could do if they were tricked.

"We say don't pay, go back to yesterday's back up and restore everything."

But he said some private users seldom keep up to date back-ups.

"When people pay, in my experience, they will give you the key to unlock you files, but soon after that they'll get you again and again," he said.

Mr Costanzo said in cases where files have been locked, to disconnect the computer from all networks to avoid encrypting other drives.

Has your computer been infected? How did you recover your files?

15 comments