Researchers have discovered a new crypto ransomware threat which they claim has at least 50 variants all designed to hit up victims for a $150 payment.

The Cryptolocker malware, which hit the headlines recently for encrypting victims' files and demanding $300 to unlock them , now has a cheaper rival, which researchers at security startup IntelCrawler say began large-scale distribution on 5 December.

The newer crypto-locking malware first checks the infected machine has an internet connection by calling up adobe.com, then deletes any original files the victim has on their PC after first making encrypted copies of them and adding a ".perfect" extension to the files. The attackers place a "CONTACT.TXT" file in each directory, which provides their contact information for victim that choose to buy the decryption key.

Unlike the first wave of Cryptolocker malware that first started hitting PCs around September, there's no Bitcoin payment option in the new version. Instead, the criminals are asking for payment using peer-to-peer payment service Perfect Money or using a virtual card number through Russian payments firm QIWI Visa.

Also, the newer ransomware doesn't use command and control (C&C) infrastructure common to many botnets, instead managing infected machines through specially-crafted decryption software.

"Each 'decryptor' has a list of hardcoded IP addresses that helps each sample to operate without any C&C at all, in order to hide the owner and to have no roots at all, besides e-commerce details," Andrey Komarov, CEO of IntelCrawler, told ZDNet.

Komarov said he had discovered 50 different builds of the malware, which are being sold on underground markets for pay-per install programs. One build had just under 6,000 infected machines, according to Komarov, with the highest concentration of infections in Russia, followed by the US and the Netherlands.

As with other malware distribution networks, crime gangs are using a variety of methods to infect machines. Some are distributing it through spam while others are using landing pages that for example, host fake music track files. One example was a Tina Turner song, babyBaby.mp3.exe.

The good news is that IntelCrawler says there is a high level of detection amongst AV companies.

The company recommends victims not to rename any of the encrypted files and not to change the hostname of their PC. It's working on universal decryption software in order to combat the threat.

According to Komarov, the crime gang behind this threat built their tools on the free open 'TurboPower LockBox' library, which uses AES-CTR to encrypt files.

Further reading