Worryingly, CryptoLocker ransomware turns from a Trojan... into a worm

CryptoLocker wormAs if CryptoLocker wasn't causing enough problems by infecting and locking thousands of innocent users' Windows computers, security researchers have discovered a new variant of the ransomware that takes its propagation to a new level.

As Trend Micro describes, new versions of CryptoLocker have been seen that have wriggled out of its Trojan horse form, and adopted the skin of a USB-spreading worm instead.

Up until this, CryptoLocker couldn't travel under its own steam. You would encounter it by opening an email attachment or clicking on a link perhaps claiming to come from your bank or a delivery company.

However, the new version can spread between removable drives - posing as activation keys for tools such as Adobe Photoshop and Microsoft Office, seeded on P2P file-sharing networks.

That means, of course, that the bad guys behind this new variant don't have to blast out a spam email campaign to spread their malware. And, it might make it easier for CryptoLocker to infect PCs across your organisation.

According to Trend Micro's researchers, however, there is some good news about the current worm version of CryptoLocker:

Further analysis of WORM_CRILOCK reveals that it has a stark difference compared to previous variants. The malware has foregone domain generation algorithm (DGA). Instead, its command-and-control (C&C) servers are hardcoded into the malware. Hardcoding the URLs makes it easier to detect and block the related malicious URLs. DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains.

You can learn more about the new version of the CryptoLocker malware, in this Trend Micro blog post.

Make sure that you follow safe computing practices and are careful about what you run on your computers, and don't forget to keep your anti-virus updated and your wits about you.

Further reading: CryptoLocker: What is it? And how do you protect against it?

Tags: , , , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , , ,

One Response

  1. Richard Steven Hack

    January 5, 2014 at 5:47 pm #

    I suspected something like this was coming.

    Cryptolocker has been massively profitable to the malware authors. Massive profit leads to capital investment by others.

    Expect more and worse versions.

Leave a Reply