Cryptolocker 2.0: thief and impostor

Information security sites are brimming with discussions surroudning a new program, which is classified as 150% malicious since it causes great harm and spreads malice like all blockers do. It

Information security sites are brimming with discussions surroudning a new program, which is classified as 150% malicious since it causes great harm and spreads malice like all blockers do. It is Cryptolocker 2.0, presumably a new version or distant relative of the cursed Trojan extorter Cryptolocker. Like other malware of that kind, Cryptolocker and Cryptolocker 2.0 encrypt a significant part of data on hard disks and then make victims offer they cannot refuse: pay attackers a tidy sum of money, preferably in bitcoins, with the chance of receiving a decryption key being just 50/50, that is the criminals may send the key or they may not at all.

The stnadout feature of Cryptolocker 2.0 is its ability to spread via removable drives. There is still a question about whether the new malware is really an updated version of the former Trojan blocker. Some experts believe that there is nothing in common between the original Cryptolocker and Cryptolocker 2.0 and believe the program just refers to itself that way. So this makes the second malware not just a thief, but an impostor too.

The original Cryptolocker made ​​a big noise both in the U.S. and the UK given the fact that the malware mainly attacked English speakers. The governmental institutions US-CERT and National Cyber Crime Unit in the United Kingdom independently issued security warnings for the Cryptolocker. The British bulletin emphasized that the authors of this malware launched a campaign aimed at small and medium enterprises (SMEs) and consumers, warning that potential victims are showered with emails that appear to be from financial institutions, but the messages carry malicious attachments that can install Cryptolocker malware, a type of ransomware.

Then if the malware gets onto the user’s machine, it seeks out the files with specific extensions on local and network resources including shared drives, removable drives (like flash drives), external hard drives, shared file systems, joint and other cloud storage locations. If one computer on the LAN is infected then the malware is likely to infect all of its resources. US-CERT recommends that when seeing a red banner with the Cryptolocker “extortion instructions” to immediately isolate the computer from all wired and wireless networks.

Unfortunately, despite all the warnings the Cryptolocker campaign was apparently very successful. According to the data of Dell SecureWorks, the first one hundred days of the campaign, starting on September 5, saw about 200-250 thousand computers infected, like an epidemic. Approximately as many as 0.4% of the victims preferred to pay, though that number is most likely to increase, leaving the attackers with quite a big jackpot.

Cryptolocker 2.0 may be a new version, an improved clone of the original Cryptolocker, or just an imitation since there are many differences.

Original Cryptolocker’s authors used 2048 bits encryption key, while Cryptolocker 2.0 declares to employ RSA 4096, although actually it is just 1024 bits.

The authors of Cryptolocker 2.0 demand ransom in bitcoins only, while the authors of the Cryptolocker would not refuse payment from MoneyPak, Ukash or cashU.

The Cryptolocker was compiled in Visual C++, the Cryptolocker 2.0 is written in C#. The list of hunted files’ extensions is different, too. The Cryptolocker was too “business oriented” and ignored the video and music files while the Cryptolocker 2.0 does not avoid extensions like .mp3, .mp4, .jpg, .png, .avi, .mpg and so forth.

There is another interesting detail. The Cryptolocker would use an algorithm to generate random domain names for its control servers, while the Cryptolocker 2.0 applies to the addresses embedded in the code that makes the infrastructure of the new malware somewhat more vulnerable.

Cryptolocker 2.0 may be a new version, an improved clone of the original Cryptolocker, or just an imitation since there are many differences. It also may be a WIP variant of a future malware which may become more dangerous than its predecessors.

It is possible that the version 2.0 is actually a kind of a trial version of the malware being actively developed, which eventually will become much more dangerous than it is now. Nevertheless, the fact that it spreads via removable drives like a worm is worrisome.

The Cryptolocker 2.0 is also different because of its attempts to mimic. Instead of “official notifications” it disguises itself as “activators” (crackers for proprietary software like Microsoft Windows, Microsoft Office, Team Viewer, Adobe Photoshop, even some antivirus vendors).

Thus, the most likely victims are again users of pirated software. Small companies often prefer to save on licensing software, not leaving them to fear problems with the law, but also the loss of all data given the fact that attackers do not necessarily send out the key to decrypt, even if they are paid a ransom.

Tips