A new variant of the file-encrypting ransomware known as Cryptolocker has begun spreading using a dangerous new feature: self propagation through USB drives, according to multiple security firms.
Antivirus firms Trend Micro and ESET both found evidence of the new version of Cryptolocker spreading on the Internet. The malicious software is somewhat different than the original Cryptolocker, including functionality which creates a copy of itself on removable media, suggesting that the malware could be a copycat.
The ability to spread to other computers and encrypt data means that the ransomware variant could spread more widely than the original Cryptolocker, according to JD Sherry, vice president of technology and solutions for Trend Micro.
Cryptolocker has raised the bar for the class of malware known as ransomware. Ransomware typically locks a PC by modifying the operating system until the user pays a fee. Cryptolocker, however, uses the Windows operating system’s encryption library to make more than 70 types of files unreadable without a key. The malware has effectively forced many companies to pay the ransom because they did not have adequate backups to recover the data.
While the latest resurgence of ransomware schemes began more than a year ago in Russia and Eastern Europe, more than half of all Cryptolocker infections are in the United States. The latest version, called “Cryptolocker 2.0” by its creators, can spread like a virus or worm by infecting USB sticks. While the malware does not apparently have the ability to automatically run, the copied executable file could allow it to spread further, according to Trend Micro.
Originally found by antivirus firm ESET on 19 December, Cryptolocker 2.0 has some differences from the original version. The variant claims to use a stronger form of encryption, RSA-4096, but in reality, uses a weaker version, RSA-1024. The original version used RSA-2048. In addition, the new version only allows victims to pay via Bitcoin, while the original Cryptolocker allowed other forms of payment, as well.
When researchers further analysed the code, the differences became more pronounced. The new variant is written in the C# programming language, but the original Cryptolocker was written in Microsoft’s Visual C++. In addition, although the original CryptoLocker focused on business files, the new version encrypts images, video and audio files, as well.
Those differences, in addition to changes to the encryption methods, have led researchers to conclude that the latest version is likely a copycat of Cryptolocker.
“It is unlikely that the malware that calls itself ‘Cryptolocker 2.0’ is actually a new version of the previous Cryptolocker malware from the same authors,” ESET stated in its blog post. “The switch from C++ to C# would be something unexpected to say the least, and in any case, none of the key differences can be considered significant improvements.”
Are you a security pro? Try our quiz!
Originally published on eWeek.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…