We recently came across a CryptoLocker variant that had one notable feature—it has propagation routines.

Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants. The addition of propagation routines means that the malware can easily spread, unlike other known CRILOCK variants.

Aside from its propagation technique, the new malware bears numerous differences from known CryptoLocker variants. Rather than relying on a downloader malware—often UPATRE— to infect systems, this malware pretends to be an activator for various software such as Adobe Photoshop and Microsoft Office in peer-to-peer (P2P) file sharing sites. Uploading the malware in P2P sites allows bad guys to easily infect systems without the need to create (and send) spammed messages.

Further analysis of WORM_CRILOCK reveals that it has a stark difference compared to previous variants. The malware has foregone domain generation algorithm (DGA). Instead, its command-and-control (C&C) servers are hardcoded into the malware. Hardcoding the URLs makes it easier to detect and block the related malicious URLs. DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains. This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability.

The differences between this particular CRILOCK variant and the others have led some researchers to believe that this malware is the product of a copycat. Regardless of its creator, WORM_CRILOCK.A shows that this could become the new favored attack method of cybercriminals.

Users should avoid using P2P sites to get copies of software. They should always download software from official and/or reputable sites. Given WORM_CRILOCK’s ability to spread via removable drives, users should also exercise caution when using flash drives and the like. Users should never connect their drives into unfamiliar or unknown machines. Our blog entry, Defending Against CryptoLocker, discusses at length additional ways of protecting a computer and a network against CryptoLocker malware.

Trend Micro uses AEGIS (behavior monitoring) to detect and block all threats related to this malware. For more information on ransomware’s background, you may visit this page. You may also refer to our FAQ page on Cryptolocker for a more comprehensive view about the malware.

With additional insights from Mark Manahan and Jimelle Monteser