In the category of Ransomware Malware, a nasty piece of malware called CRYPTOLOCKER is on the top, that threatened most of the people around the world, effectively destroying important files of the victims.
Cryptolocker, which strongly encrypts victims' hard drives until a ransom is paid, is now again back in action to haunt your digital life with an additional feature.
Until now, CryptoLocker has been spread via spam email, with victims tempted to download an attachment or click on a link to a malicious website, but now it can spread itself as a worm through removable USB drives.
Security Researchers at Trend Micro have recently reported a new variant of Cryptolocker which is capable of spreading through removable USB drives.
As Previously reported by our Security experts at The Hacker News, Cryptolocker is a malware which locks your files and demand a ransom to release it. The files are encrypted so removing the malware from the system doesn't unlock your files. The only way to get your files decrypted is to pay a demanded ransom amount to the criminals.
This new cryptolocker's version is detected as WORM_CRILOCK. A, and can infect the computers by posing as key generator or activators for paid software like Adobe Photoshop, Microsoft Office on Torrent websites.
If CryptoLocker has already encrypted your files, then it will display a message demanding payment. Once installed on a system, it can replicate itself onto a USB drive and spread further and also if that infected system is connected to a network, the Cryptolocker work can look for other connected drives to infect them as well.
Other malware has employed similar tactics in the past, but CryptoLocker's encryption is much more secure and is currently not possible to crack. But the new Cryptolocker didn't use DGA (domain generation algorithm), but instead relied on hardcoded command & control center details.
Further analysis of WORM_CRILOCK reveals that it has a stark difference compared to previous variants. The malware has foregone domain generation algorithm (DGA). Instead, its command-and-control (C&C) servers are hardcoded into the malware. Hardcoding the URLs makes it easier to detect and block the related malicious URLs. DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains. This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability.
Recommendations for users to defend against such threats:
- Users should avoid using P2P i.e. Torrent sites to get pirated copies of software and stick with official or reputable sites.
- Users should also be extremely careful about plugging USB drives into their computers. If you found one lying around, don't plug it in to see what may be on it.