Growing Crypto Ransomware campaigns in Luxembourg

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

CIRCL warns against a crypto ransomware campaign that has been on the rise in Luxembourg the past weeks, impacting companies from different industries.

This growing threat affects both Internet users and corporate networks users. The attackers have developed a meticulous and advanced method: they infect a system in order to encrypt all available files locally and remotely for the user. When the encryption is completed, users will not be able to access their files anymore and attackers will ransom them to allow the recovery of these encrypted files. “We have seen that these attacks have been highly successful and in Luxembourg a number of companies have been impacted. Knowing that within corporate networks, file servers are extensively used, it is a perfect channel and platform for attackers”, explains Alexandre Dulaunoy from CIRCL.

On the same issue, CIRCL already published a warning in August 2012 regarding the ransomware method with the TR09, and the TR33 in February 2015, analysing the CTB-Locker/Critroni infection.

How can you respond?

CIRCL has published a list of incident responses companies should/could carry when faced with a Crypto Ransomware infection.

“One of the first things we recommend to victims of this infection is that they should never contact the attacker neither pay the ransom. Then, from the technical point of view and in the case of a detection, you should unplug the infected systems from the network. Other immediate actions can be taken and can be found here:”, states Sascha Rommelfangen, from CIRCL.

You can also be proactive!

A number of proactive measures can be taken in order to lessen the impact and the risks associated to a Crypto Ransomware infection. The best defense against Crypto Ransomware are functional backups. “If you are able to recover easily your backup, you defeat the main objective of the attacker. Backups must be made off-line and thus detached from network connectivity or system connectivity”, notes Alexandre. To see the full list of proactive measures, go to:

CIRCL operates the MISP platform, where indicators for malware including Crypto Ransomware are shared. This allows private organizations to store, share, collaborate on malware. It also helps improving the counter-measures used against targeted attacks and set-up preventive actions.

The future of ransomware

“The future is bright for the attackers as long as victims keep paying the ransom. There are a number of new techniques also appearing such as the crypto ransomware named Chimera, which threatens to post the encrypted files online if the ransom isn’t paid. This gets even further as the ransom note contains a proposition for victims: they should take advantage of [their] affiliate program. They thus clearly push their victims to be part of mule networks”, concludes Alexandre.

For any questions, contact: