The Hacker News Logo
Subscribe to Newsletter

Cryptolocker Malware learned to replicate itself through removable USB drives

Cryptolocker Malware learned to replicate itself through removable USB drives
In the category of Ransomware Malware, a nasty piece of malware called CRYPTOLOCKER is on the top, that threatened most of the people around the world, effectively destroying important files of the victims.

Cryptolocker, which strongly encrypts victims' hard drives until a ransom is paid, is now again back in action to haunt your digital life with an additional feature.
Until now, CryptoLocker has been spread via spam email, with victims tempted to download an attachment or click on a link to a malicious website, but now it can spread itself as a worm through removable USB drives.

Security Researchers at Trend Micro have recently reported a new variant of Cryptolocker which is capable of spreading through removable USB drives.

As Previously reported by our Security experts at The Hacker News, Cryptolocker is a malware which locks your files and demand a ransom to release it. The files are encrypted so removing the malware from the system doesn’t unlock your files. The only way to get your files decrypted is to pay a demanded ransom amount to the criminals.

This new cryptolocker’s version is detected as WORM_CRILOCK. A, and can infect the computers by posing as key generator or activators for paid software like Adobe Photoshop, Microsoft Office on Torrent websites.

If CryptoLocker has already encrypted your files, then it will display a message demanding payment. Once installed on a system, it can replicate itself onto a USB drive and spread further and also if that infected system is connected to a network, the Cryptolocker work can look for other connected drives to infect them as well. 

Other malware has employed similar tactics in the past, but CryptoLocker's encryption is much more secure and is currently not possible to crack. But the new Cryptolocker didn’t use DGA (domain generation algorithm), but instead relied on hardcoded command & control center details.
Further analysis of WORM_CRILOCK reveals that it has a stark difference compared to previous variants. The malware has foregone domain generation algorithm (DGA). Instead, its command-and-control (C&C) servers are hardcoded into the malware. Hardcoding the URLs makes it easier to detect and block the related malicious URLs. DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains. This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability.
Recommendations for users to defend against such threats:
  • Users should avoid using P2P i.e. Torrent sites to get pirated copies of software and stick with official or reputable sites.
  • Users should also be extremely careful about plugging USB drives into their computers. If you found one lying around, don't plug it in to see what may be on it.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.