GATSO! Speed camera phish leads to CryptoLocker ransomware clone…

Thanks to Benjamin Humphrey of SophosLabs for the
behind-the-scenes effort he put into this article.

Recently, we came across an intriguing phishing campaign that combines two feared products of the information age.

Gatsos (speed cameras) and ransomware, rolled into one attack!

It all started with a phishing email claiming to be from the Office of State Revenue in New South Wales, Australia.

The subject matter is a speeding fine you are alleged to have clocked up:

Details are scant, notably that the location is identified only by a code number and your registration number (a.k.a. licence plate or tag) is not given.

But the time of the alleged offence is stated as 11.21pm, presumably a time at which most people wouldn’t be driving, giving a glimmer of hope that some sort of mistake was made.

(Or someone else was driving your car. Wouldn’t you love to see if the speed camera could tell you who it was?)

You ought to smell a rat, of course, not least because the word “offence” is spelled in two different ways in the email, and the penalty notice number is inconsistent:

But, as we said, Gatsos get many people’s knees a-knocking, so you might be inclined to click on ACT NOW anyway.

→ Did you know that the name Gatso comes from a Dutch rally driver called Maurice Gatsonides, who ironically came up with the idea of a speed camera so he could learn to drive faster?

The next step in the phish takes you to a what looks like a download portal page belonging to the State Debt Recovery Office (SDRO).

To add a touch of realism, the crooks have made it harder, not easier, to access your penalty notice by making you solve a CAPTCHA first:

The real SRDO portal looks vaguely similar, but has one important difference:

There’s a warning entitled SCAM ALERT posted across the top of the real page, advising you about just this sort of scam.

Interestingly, we regularly see scams that try to add a veneer of legitimacy by incorporating real warnings and anti-phishing advice from the very sites they are impersonating – advice you would be well-advised to take!

The ransomware download

Once you solve the CAPTCHA shown above, you are redirected to a download site that serves up a file called

Again, you ought to smell a rat, especially if you unzip the file and notice it contains an undisguised program called offence_id_37984264.exe.

Sophos Anti-Virus will block this file with the name Troj/Ransom-ANH, and with good reason: it’s ransomware, that dastardly brand of malware that scrambles your data and offers to sell it back to you.

This one calls itself CryptoLocker, borrowing the “brand name” of one of the best known ransomware variants ever distributed:

The original CryptoLocker reached its peak of notoriety towards the end of 2013, giving you three days to come up with $300 if you wanted to see your data again.

By March 2014 it was estimated that in the UK alone, about 1 in 30 users had their system hit by CryptoLocker, and 40% of those paid up.

The original CryptoLocker was neutralised after a US-led takedown operation managed to confiscate the servers it used to generate and store the decryption keys.

CryptoLocker took care never to have a copy of the decryption key on your computer (not even in memory), where you might be able to intercept it without paying the ransom. That meant generating a public-private key pair on its own servers, and then releasing only the public key, used for encryption. In other words, if the malware couldn’t call home, it couldn’t get an encryption key, so it didn’t scramble your data. Taking the servers offline therefore had the handy side-effect of preventing further ransoms from being demanded.

The Troj/Ransom-ANH ransomware even has a handy Frequently Asked Questions page:

This explains that the only way to get your data back is to pay up, and refers you to a website accessible via the anonymising service Tor:

The fee is the BitCoin equivalent of US$500 if you pay up within five days (120 hours), or US$1000 if you wait.

A common “feature” of recent ransomware, shown above, is the option to decrypt a single file for free – a crooked version of “try before you buy” aimed at convincing you that the crooks really do have your decryption key, but without giving you so much as a hint what that key might be.

The bottom line

Fortunately, in this case:

  • The phishing email contains some rather obvious errors. (Although the absence of mistakes doesn’t prove that an email is legitimate, egregious errors should persuade you that it is fake.)
  • The links via which the ACT NOW button takes you to the fake SDRO page would be blocked by Sophos’s web filtering products.
  • The downloaded ransomware would blocked by Sophos Anti-Virus as Troj/Ransom-ANH.
  • The ransomware’s “call home” would be detected by the Sophos UTM as a malware command-and-control operation.
  • The fake CAPTCHA site and the malware download site have been taken down anyway, making detection a moot point now.

This reminds us of two things: that defence in depth really works, and that a little caution goes a long way.

Image of speed camera available under CC BY-SA 2.0 licence.