CryptoLocker Ransomware Variant Includes More Pernicious Features

Security researchers say that the Cryptolocker ransomware, or a copycat variant, has become more pernicious because it can now spread automatically to USB sticks.

A new variant of the file-encrypting ransomware known as CryptoLocker has begun spreading using a dangerous new feature: self propagation through USB drives, according to multiple security firms.

Antivirus firms Trend Micro and ESET both found evidence of the new version of CryptoLocker spreading on the Internet. The malicious software is somewhat different than the original CryptoLocker, including functionality which creates a copy of itself on removable media, suggesting that the malware could be a copycat.

The ability to spread to other computers and encrypt data means that the ransomware variant could spread more widely than the original CryptoLocker, according to JD Sherry, vice president of technology and solutions for Trend Micro.

"This is a clear-cut example of something that, whether it is a variant or a copycat, it's another low-cost channel to deliver malware with the end goal of trying to steal sensitive information, such as banking credentials or getting a ransom," Sherry told eWEEK.

CryptoLocker has raised the bar for the class of malware known as ransomware. Ransomware typically locks a PC by modifying the operating system until the user pays a fee. CryptoLocker, however, uses the Windows operating system's encryption library to make more than 70 types of files unreadable without a key. The malware has effectively forced many companies to pay the ransom because they did not have adequate backups to recover the data.

While the latest resurgence of ransomware schemes began more than a year ago in Russia and Eastern Europe, more than half of all CryptoLocker infections are in the United States. The latest version, called "CryptoLocker 2.0" by its creators, can spread like a virus or worm by infecting USB sticks. While the malware does not apparently have the ability to automatically run, the copied executable file could allow it to spread further, according to Trend Micro.

Originally found by antivirus firm ESET on Dec. 19, CryptoLocker 2.0 has some differences from the original version. The variant claims to use a stronger form of encryption, RSA-4096, but in reality, uses a weaker version, RSA-1024. The original version used RSA-2048. In addition, the new version only allows victims to pay via Bitcoin, while the original CryptoLocker allowed other forms of payment, as well.

When researchers further analyzed the code, the differences became more pronounced. The new variant is written in the C# programming language, but the original CryptoLocker was written in Microsoft's Visual C++. In addition, although the original CryptoLocker focused on business files, the new version encrypts images, video and audio files, as well.

Those differences, in addition to changes to the encryption methods, have led researchers to conclude that the latest version is likely a copycat of CryptoLocker.

"It is unlikely that the malware that calls itself 'CryptoLocker 2.0' is actually a new version of the previous CryptoLocker malware from the same authors," ESET stated in its blog post. "The switch from C++ to C# would be something unexpected to say the least, and in any case, none of the key differences can be considered significant improvements."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...