Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

CryptoLocker Ransomware Now Spreading Through Removable Drives

During the past few months, advancements in CryptoLocker put ransomware on the public’s radar in a major way.

But according to researchers at Trend Micro, enhancements in the world of ransomware have not stopped as the year as 2013 has come to a close.

During the past few months, advancements in CryptoLocker put ransomware on the public’s radar in a major way.

But according to researchers at Trend Micro, enhancements in the world of ransomware have not stopped as the year as 2013 has come to a close.

According to the company, a piece of ransomware they believe is a variant of CryptoLocker has the ability to now spread through removable drives. This update is significant because it has not been seen in other variants and the added propagation routines means the malware can easily spread, according to Trend Micro.

“Aside from its propagation technique, the new malware bears numerous differences from known CryptoLocker variants,” blogged Abigail Pichel of Trend Micro. “Rather than relying on a downloader malware—often UPATRE— to infect systems, this malware pretends to be an activator for various software such as Adobe Photoshop and Microsoft Office in peer-to-peer (P2P) file sharing sites. Uploading the malware in P2P sites allows bad guys to easily infect systems without the need to create (and send) spammed messages.”

In another break from the norm, the malware – detected by Trend Micro as WORM_CRILOCK.A – has abandoned domain generation algorithm (DGA). Instead, its command-and-control (C&C) servers are hardcoded into the malware.

“Hardcoding the URLs makes it easier to detect and block the related malicious URLs. DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains,” Pichel noted. “This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability.”

There are a number of other differences between the malware and other versions of CryptoLocker, so much so that some have questioned whether or not the variant is a variant at all. Researchers at ESET for example noted that this malware – which calls itself CryptoLocker 2.0 – claims to use RSA-4096 (it actually uses RSA-1024) anad doesn’t show a countdown timer like CryptoLocker. It also only accepts the ransom in Bitcoins as opposed to other methods.

“Taking into account all the aforementioned differences, it is unlikely that the malware that calls itself ‘Cryptolocker 2.0’ is actually a new version of the previous Cryptolocker ransomware from the same authors,” blogged Robert Lipovsky, a malware researcher at ESET.

Advertisement. Scroll to continue reading.

In any event, research from Dell SecureWorks suggests that CryptoLocker has done significant damage. According to the company, the criminal gang behind CryptoLocker infected between 200,000 and 2500,000 computers in the first 100 days of a campaign that began Sept. 5.

“Based on this information and measurements of infection rates, CTU researchers estimate a minimum of 0.4%, and very likely many times that, of CryptoLocker victims are electing to pay the ransom,” blogged Keith Jarvis, Dell SecureWorks Counter Threat Unit Threat Intelligence.

“Based on its design, deployment method, and empirical observations of its distribution, CryptoLocker appears to target English-speakers, specifically those located in the United States,” Jarvis added. “Malware authors from Russia and Eastern Europe, where the CryptoLocker authors are thought to originate, commonly target victims in North America and Western Europe. Law enforcement cooperation between these regions is complicated by numerous factors, which often results in threat actors believing that they can operate with impunity.”

According to Pichel, to avoid the latest variant of CryptoLocker, Web surfers should be wary of using peer-to-peer sites to get copies of software, and instead visit reputable sites.

“Given WORM_CRILOCK’s ability to spread via removable drives, users should also exercise caution when using flash drives and the like,” she blogged, adding that users should never connect their drives into unfamiliar or unknown machines.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.