Fake SDA email brings back CryptoLocker.

 A new variant of CryptoLocker is being spread thanks to a fake SDA parcel notification.
TG Soft's Anti-Malware Research Centre (C.R.A.M.) has acknowledged a new incidence of CryptoLocker-related attacks, starting from the early afternoon of 4th April 2016.
This new variant of the infamous cryptomalware is spreading thanks to a fake SDA email.


The goal of the fake SDA emails that deliver CryptoLocker is to trick the user into clicking on the links and buttons in order to allegedly check the label of a package that has been delievered to a post office and has to be redeemed, with the threat of a fine should the package not be withdrawn in time.

The header of the email is the following:
  • Sender: SDA EXPRESS COURIER <info@transogui.es>
  • Subject: il pacchetto non consegnata per voi (lit. a not delivered package for you)

The email has a clean layout but, despite this should represent an official statement, the Italian grammar is very inconsistent.
 Screenshot of the fake SDA email that has been spreading new CryptoLocker variants
Click to show the fake SDA email fullscreen
The receiver is asked to download and print the shipment label from the link and bring it to a post office. Should the receiver not redeem the package in 30 days, they will then be charged 5.85€/day.

The link redirects to a webpage that bears striking similarity to the original SDA website; this is where the user has to download the alleged label.

Screenshot of the fake SDA website that has been spreading new CryptoLocker variants

At this point, if the captcha is inserted (this is a static number, set to 22558), and the [SCARICA] (download) button is pressed, a .zip archive containing CryptoLocker will be downloaded; if run, this will encrypt files on the computer and then will demand a ransom.

Unless (but also if) you are waiting for a parcel from SDA, do not get overwhelmed by curiosity and avoid clicking links and buttons found inside of emails. Our advice is, should you encounter such emails, to forward them to our Research Centre for further analysis: lite@virit.com.

CryptoLocker's family was technically analysed in 2013. For further details please refer to our bulletin dated 06/12/2013 Bad news with CryptoLocker.

How to stay safe from cryptomalware attacks with Vir.IT eXplorer PRO technologies

In our 26/11/2015 bulletin, we tried to describe those technologies built into Vir.IT eXplorer PRO and how to use them properly.

TG Soft's Research Centre (C.R.A.M.) has been analyzing the most widespread cryptomalware types for three years, and has developed two technologies:

  • Vir.IT BackUp, an advanced backup utility devised to protect every user's most precious files. Vir.IT BackUpis very simple and straightforward to use; it allows the user to select the files and folders they want to have a backup copy of. The copy is an automated and scheduled process. Should a computer be infected by a new generation and yet-to-be-identified cryptomalware causing widespread encryption, Vir.IT BackUp copies can be reverted, since an advanced BackUp system is used, so that these copies can hardly be accidentally deleted or "forcefully" altered by some malware.
  • A real-time protection module based on a heuristic and behavioural approach. It is capable of identifying those tasks that behave in a similar way to cryptomalwares and, once identified, it can halt them, thus stopping the encryption and saving more than 99.63% of data files.
    It was verified on real attacks that the minimum number of encrypted files, in the early stages of cryptomalware attacks (even new generation ones), is 5 - thus sparing every other file. Potentially encryptable files are approximately 10'000, so this technology effectiveness stands at (1-5/10.000)*100 = 99,95%.
  • In the very short time span when the cryptomalware has just begun encrypting data and the heuristic automata has yet to intervene, Vir.IT eXplorer PRO AntiCryptoMalware module enacts a techique called "On-The-Fly Backup", which:
    • creates a backup copy of document files (such as .doc, .xls, .pdf, .jpg) between 2KB and 3MB;
    • stores these copies for 48 hours to allow recovery in case of necessity.
TG Soft's Anti-Malware Research Centre (C.R.A.M.)

Vir.IT BackUp saves your precious data from cryptomalwares

Heuristic protection from cryptomalware

Mean percentage of files protected from encryption thanks to Vir.IT eXplorer PRO
Vir.IT eXplorer PRO saves your precious files, even from cryptomalwares

Vir.IT eXplorer PRO saves your precious files, even from cryptomalwares
If Vir.IT eXplorer PRO has been correctly set up, it is possible to save up to 100% of data in case of cryptomalware. Those file that may have been encrypted in the early stages of the attack can be restored thanks to Vir.IT BackUp, thus reducing the loss to 15/20 files - in the case they were created/edited before a new backup could be made.

Vir.IT eXplorer PRO users can take advantage of these technologies, especially Vir.IT Backup, in order to save their precious data from cryptomalware or other yet-to-be-discovered malicius software and their variants.

How and where to buy Vir.IT eXplorer PRO security suite

Decryption of files, which have been encrypted with 2048 bit long keys, is only theoretically possible, but it is technically impracticable. We invite you to consider the purchase of Vir.IT eXplorer PRO since prevention is the only way to contrast cryptomalwares.

Vir.IT eXplorer PRO can be purchased in the following ways:

TG Soft - Public Relations

*Mean percentage of files saved from encryption thanks to Vir.IT eXplorer PRO technologies - data gathered from actual cryptomalware attacks by TG Soft's Research Centre (C.R.A.M), October 2015.


Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: