Large numbers of UK SMEs are being targeted by a major spam campaign pushing the vicious Cryptolocker ransom malware using plausible-looking targeted attachments, the National Crime Agency (NCA) has warned.

In an unusual alert, the NCA’s Cyber Crime Unit (NCCU) said that “tens of millions of UK customers” were in the sights of the latest campaign, which was turning up in inboxes posing as invoices from banks and financial organisations.

After encrypting any data files it finds on local and network-shared drives, this particular campaign demands 2 Bitcoins (£550 at current rates) in ransom for the unlock key.  The point is driven home by a countdown timer that demands money by a given date, usually 72 hours later

"The NCA are actively pursuing organised crime groups committing this type of crime. We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public," said NCCU deputy head, Lee Miles.

Police were trying to track down the source of the email database being used to target firms, he said, a statement that hints at the disturbing possibility that a compromised database is being used, possibly also to target named individuals. If correct, such targeting would greatly increase the campaign’s effectiveness and make it much harder for ISP and business anti-spam systems to filter out malicious emails.

Firms or individuals caught by Cryptolcoker should not pay the ransom, which in any case would be unlikely to deliver the unlock key, Miles added. This seems like good advice; Russian firm Kaspersky Lab has warned that criminals using the malware appeared not to be supplying unlock keys to paying victims.

It’s not clear when this campaign began or even if it’s that new but when it comes to the extraordinary Cryptolocker, a devastatingly effective piece of global malware that dates back no further than August 2013, anything is possible.

Too often, police in many countries have appeared to be behind the threat, reacting to the damage after it has been inflicted. In the space of only a few short weeks, Cryptolocker has become without challenge the malware story of 2013.

Who is behind Cryptoocker is a matter of speculation but the culprits are believed to be an organised crime house with Russian and Ukrainian connections, possibly inspired by criminals that launched the wave of hugely-profitable fake antivirus scams a few years back. It also seems to connected to banking malware campaigns.

Given that Cryptolocker’s encryption can’t be cracked, there is plenty of advice on how to protect a business or individual PC against the effects of Cryptolocker, starting with the unpleasant fact that even up-to-date antivirus software won’t be enough.

Basic protections include having recent secure and structured backups (not synchronised cloud backups, which could simply make things worse), and even resetting the PC's clock to delay the countdown timer.  Another angle is using software restriction policies.

The most important advice is not to wait for official organisations such as US-CERT and the UK’s NCA to warn of malware; the latest alert is worth paying attention to but is weeks later than it should have been.

UK security expert Graham Cluley has published an excellent summary of Cryptolocker and a link to Bleepingcomputer’s must-read FAQ.