Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Cryptolocker 2.0 turns into worm that spreads via USB drives

Copycats take aim at P2P file sharers

Article comments

Security researchers have discovered what looks like a copycat version of the Cryptolocker ransom Trojan that drops some of the malware’s sophistication in favour of the single innovation of being able to spread via USB drives.

According to security firms Trend Micro and ESET, the recently discovered worm-like Crilock.A variant (which calls itself ‘Cryptolocker 2.0) poses as an updater for Adobe Photoshop and Microsoft Office on sites frequented by P2P file sharers.

The command and control architecture is also new, ditching the domain generation algorithm (DGA) in favour of less sophisticated hardcoded URLs. Both of these odd developments have convinced Trend Micro that Crilock.A is the work of copycats rather than the original Cryptolocker gang.

Targeting file sharers is a strange choice because it while it increases the chance that the malware will be downloaded the potential list of victims is still far smaller than with previous ‘official’ version. A similar point could be made about the abandonment of DGA for hard-coding, which is much easier to block; security firms simply have to reverse engineer the list and the malware becomes useless.

However, there are advantages to these changes. Using hard-coding is simpler while spreading from P2P sites is a way of remaining less visible than would be the case when using a flood of phishing emails.

Most interesting and perhaps revealing of all, Crilock.A adds the ability to infect removable drives. This worm technique is as old as the hills and although slowing its spread it does ensure a degree of longevity. On the other hand, while it can hide on drives for years to come, by the time it activates it will probably detected by every security programme in existence.

This whole strategy speaks of an opportunist gang that has hijacked (i.e. reverse engineered) the malware to hit a small but global target that has something valuable to protect – files shared illegally via P2P.  This group is for obvious reasons also less likely to raise a complaint with police.

Just for added spice, the variant adds other sneaky abilities, including launching a component to launch DDoS attacks, steal Bitcoin wallets and even launch a Bitcoin-mining tool.

ESET has published a full list of the differences between Cryptolocker and Crilock.A/Cryptolocker 2.0 on its website, including noting the eccentric use of the more compute-intensive 3DES encryption format rather than more conventional AES.

In the same week Cryptolocker 2.0 was detected before Christmas, Dell SecureWorks published its estimate that the original version of the programme had infected around 200,000-300,000 PCs in 100 days. Around 0.4 percent of these victims probably paid the demanded ransom of around $300 in Bitcoins or via MoneyPak.


More from Techworld

More relevant IT news


Bryan Dunsheng See said: That would make all kinds of sense I think the scammers would want to make money out of this probably using the logos of BOTH the government agencies including law enforcement at the least and security vendors such as AVG Symantec Kaspersky and Microsoft but I doubt BatteryIncluded and the people on Wikipedia especially Dennis Brown Scottish arbitrator AGK William V Burns known for Stanistani handle on Wikipedia and Zoloft on Wikipediocracy and Wikipedia Review and Boing said Zebedee would want to lock anybody from their computers with these to prevent any further threats of disruption to the project as well as to prevent their interaction with it to continue and force their suicide via an increase in their medication intakes

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *