Cryptolocker ransomware variant targets USB drives
Security researchers have discovered what looks like a copycat version of the Cryptolocker ransom Trojan that drops some of the malware’s sophistication in favor of the single innovation of being able to spread via USB drives.
According to security firms Trend Micro and ESET, the recently discovered worm-like Crilock.A variant (which calls itself "Cryptolocker 2.0") poses as an updater for Adobe Photoshop and Microsoft Office on sites frequented by peer-to-peer file-sharers.
The command and control architecture is also new, ditching the domain generation algorithm (DGA) in favor of less sophisticated hardcoded URLs. Both of these odd developments have convinced Trend Micro that Crilock.A is the work of copycats rather than the original Cryptolocker gang.
Targeting file sharers is a strange choice because it while it increases the chance that the malware will be downloaded the potential list of victims is still far smaller than with previous "official" version. A similar point could be made about the abandonment of DGA for hard-coding, which is much easier to block; security firms simply have to reverse engineer the list and the malware becomes useless.
Lying in wait
However, there are advantages to these changes. Using hard-coding is simpler while spreading from P2P sites is a way of remaining less visible than would be the case when using a flood of phishing emails.
Most interesting and perhaps revealing of all, Crilock.A adds the capability to infect removable drives. The worm technique is longstanding, and infecting drives may slow its spread but does ensure a degree of longevity. On the other hand, while Crilock.A can hide on drives for years to come, by the time it activates it will probably detected by most security programs.
This whole strategy speaks of an opportunist gang that has hijacked (reverse engineered) the malware to hit a small but global target that has something valuable to protect—files shared illegally via P2P. This group is for obvious reasons also less likely to raise a complaint with police.
Just for added spice, the variant adds other sneaky abilities, including launching a component to launch DDoS attacks, steal Bitcoin wallets, and even launch a Bitcoin-mining tool.
ESET has published a full list of the differences between Cryptolocker and Crilock.A/Cryptolocker 2.0 on its website, including noting the eccentric use of the more compute-intensive 3DES encryption format rather than more conventional AES.
In the same week Cryptolocker 2.0 was detected before Christmas, Dell SecureWorks published its estimate that the original version of the programme had infected around 200,000 to 300,000 PCs in 100 days. Around 0.4 percent of these victims probably paid the demanded ransom of around $300 in Bitcoins or via MoneyPak.