Cryptolocker 2.0 turns into worm that spreads via USB drives

Security researchers have discovered what looks like a copycat version of the Cryptolocker ransom Trojan that drops some of the malware’s sophistication in favour of the single innovation of being able to spread via USB drives.

According to security firms Trend Micro and ESET, the recently discovered worm-like Crilock.A variant (which calls itself ‘Cryptolocker 2.0) poses as an updater for Adobe Photoshop and Microsoft Office on sites frequented by P2P file sharers. 

The command and control architecture is also new, ditching the domain generation algorithm (DGA) in favour of less sophisticated hardcoded URLs. Both of these odd developments have convinced Trend Micro that Crilock.A is the work of copycats rather than the original Cryptolocker gang.

Targeting file sharers is a strange choice because it while it increases the chance that the malware will be downloaded the potential list of victims is still far smaller than with previous ‘official’ version. A similar point could be made about the abandonment of DGA for hard-coding, which is much easier to block; security firms simply have to reverse engineer the list and the malware becomes useless.

However, there are advantages to these changes. Using hard-coding is simpler while spreading from P2P sites is a way of remaining less visible than would be the case when using a flood of phishing emails.

Most interesting and perhaps revealing of all, Crilock.A adds the ability to infect removable drives. This worm technique is as old as the hills and although slowing its spread it does ensure a degree of longevity. On the other hand, while it can hide on drives for years to come, by the time it activates it will probably detected by every security programme in existence.

This whole strategy speaks of an opportunist gang that has hijacked (i.e. reverse engineered) the malware to hit a small but global target that has something valuable to protect – files shared illegally via P2P. This group is for obvious reasons also less likely to raise a complaint with police.

Just for added spice, the variant adds other sneaky abilities, including launching a component to launch DDoS attacks, steal Bitcoin wallets and even launch a Bitcoin-mining tool.

ESET has published a full list of the differences between Cryptolocker and Crilock.A/Cryptolocker 2.0 on its website, including noting the eccentric use of the more compute-intensive 3DES encryption format rather than more conventional AES. 

In the same week Cryptolocker 2.0 was detected before Christmas, Dell SecureWorks published its estimate that the original version of the programme had infected around 200,000-300,000 PCs in 100 days. Around 0.4 percent of these victims probably paid the demanded ransom of around $300 in Bitcoins or via MoneyPak.