During the past few months, advancements in CryptoLocker put ransomware on the public’s radar in a major way.
But according to researchers at Trend Micro, enhancements in the world of ransomware have not stopped as the year as 2013 has come to a close.
According to the company, a piece of ransomware they believe is a variant of CryptoLocker has the ability to now spread through removable drives. This update is significant because it has not been seen in other variants and the added propagation routines means the malware can easily spread, according to Trend Micro.
“Aside from its propagation technique, the new malware bears numerous differences from known CryptoLocker variants,” blogged Abigail Pichel of Trend Micro. “Rather than relying on a downloader malware—often UPATRE— to infect systems, this malware pretends to be an activator for various software such as Adobe Photoshop and Microsoft Office in peer-to-peer (P2P) file sharing sites. Uploading the malware in P2P sites allows bad guys to easily infect systems without the need to create (and send) spammed messages.”
In another break from the norm, the malware – detected by Trend Micro as WORM_CRILOCK.A – has abandoned domain generation algorithm (DGA). Instead, its command-and-control (C&C) servers are hardcoded into the malware.
“Hardcoding the URLs makes it easier to detect and block the related malicious URLs. DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains,” Pichel noted. “This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability.”
There are a number of other differences between the malware and other versions of CryptoLocker, so much so that some have questioned whether or not the variant is a variant at all. Researchers at ESET for example noted that this malware – which calls itself CryptoLocker 2.0 – claims to use RSA-4096 (it actually uses RSA-1024) anad doesn’t show a countdown timer like CryptoLocker. It also only accepts the ransom in Bitcoins as opposed to other methods.
“Taking into account all the aforementioned differences, it is unlikely that the malware that calls itself ‘Cryptolocker 2.0’ is actually a new version of the previous Cryptolocker ransomware from the same authors,” blogged Robert Lipovsky, a malware researcher at ESET.
In any event, research from Dell SecureWorks suggests that CryptoLocker has done significant damage. According to the company, the criminal gang behind CryptoLocker infected between 200,000 and 2500,000 computers in the first 100 days of a campaign that began Sept. 5.
“Based on this information and measurements of infection rates, CTU researchers estimate a minimum of 0.4%, and very likely many times that, of CryptoLocker victims are electing to pay the ransom,” blogged Keith Jarvis, Dell SecureWorks Counter Threat Unit Threat Intelligence.
“Based on its design, deployment method, and empirical observations of its distribution, CryptoLocker appears to target English-speakers, specifically those located in the United States,” Jarvis added. “Malware authors from Russia and Eastern Europe, where the CryptoLocker authors are thought to originate, commonly target victims in North America and Western Europe. Law enforcement cooperation between these regions is complicated by numerous factors, which often results in threat actors believing that they can operate with impunity.”
According to Pichel, to avoid the latest variant of CryptoLocker, Web surfers should be wary of using peer-to-peer sites to get copies of software, and instead visit reputable sites.
“Given WORM_CRILOCK’s ability to spread via removable drives, users should also exercise caution when using flash drives and the like,” she blogged, adding that users should never connect their drives into unfamiliar or unknown machines.