Researchers have discovered a new variant of the CryptoLocker ransomware which could potentially infect even more users than the original version.

The criminals behind CryptoLocker appear to have modified the ransomware from a Trojan into a USB-spreading worm, researchers from Trend Micro wrote on its Security Intelligence blog recently. As a Trojan, CryptoLocker couldn't spread on its own to infect user computers. It relied on users to open an email attachment, or to click on a link in an email, to execute and install itself on the computer. As a worm, however, CryptoLocker can replicate itself and spread via removable drives.

In case you need a refresher, CryptoLocker is ransomware. This is type of malware which locks up files on your computer and demands a ransom in order to unlock the files. The files are encrypted, so removing the malware doesn't release the files. The only way to get the files back is to pay the criminals whatever amount they select (recent attacks have featured demands for BitCoins) or just wipe the computer and restore from backup.

The new version of the malware pretends to be an activator for software such as Adobe Photoshop and Microsoft Office on peer-to-peer (P2P) file sharing sites, Trend Micro said. Uploading the malware onto P2P sites allows bad guys to easily infect systems without bothering with spam messages, according to the blog post.

"The bad guys behind this new variant don't have to blast out a spam email campaign to spread their malware," said Graham Cluley, a security researcher.

How a Worm Infects

Imagine a simple scenario. You borrow a USB drive to move a file from one computer to another, or to give someone a copy of the file. If that drive was infected with the CryptoLocker worm, all any computer the drive connected to would be infected. And if that computer is connected to a network, the Cryptolocker work can look for other connected drives.

"It might make it easier for CryptoLocker to infect PCs across your organization," Cluley said.

There is one good sign about this new variant, though. The original CryptoLocker malware used the domain generation algorithm (DGA) to periodically generate a large number of domain names to connect to the command-and-control (C&C) server. The new version of CryptoLocker, on the other hand, doesn't use DGA as the URL of the command-and-control servers are hardcoded in the ransomware, Trend Micro said. This makes it easier to detect and block the related malicious URLs.

However, that might just mean that the malware is still in the process of being refined and improved upon, and later versions of the worm may have the DGA capability, Trend Micro warned. Once it include DGA, it would be more difficult to detect and block the ransomware.

What Do I Do?

Trend Micro and Cluley had a few recommendations on what to do:

Users should avoid using P2P sites to get copies of software and stick with official or reputable sites.

Users should also be extremely careful about plugging USB drives into their computers. If you found one lying around, don't plug it in to see what may be on it.

"Make sure that you follow safe computing practices and are careful about what you run on your computers, and don't forget to keep your anti-virus updated and your wits about you," Cluley said.





Further Reading

Security Reviews