New CryptoLocker Variant is Spread Through Peer-to-Peer Networks

A new version of CryptoLocker has emerged. It can be spread through removable drives and it may disguise itself as a software activator for Adobe Photoshop or Microsoft Office. This variant underscores the sophisticated challenge that enterprises face in fending off CryptoLocker, a prominent piece of ransomware that encrypts user files and demands payment in the popular cryptocurrency Bitcoin.

New CryptoLocker moves beyond email, leverages peer-to-peer networks

Early versions of CryptoLocker were distributed primarily through email. Targeted users typically received a zipped archive that contained a malicious PDF file with the CryptoLocker payload.

Once activated, CryptoLocker encrypts the contents of the main hard drive as well as any LAN drives. It uses a combination of 256-bit AES and 2048-bit RSA encryption, making it difficult for victims to recover their assets unless they created backups or implemented a system restore solution to roll back the unwanted changes.

The newest CryptoLocker variant has a number of differences that on the one hand may increase its reach, but also make it easier to detect. Since it can be propagated through infected removable drives, it can spread more rapidly than its predecessors. It also takes advantage of peer-to-peer networks to spread malicious files advertised as activation tools for productivity software. P2P makes it so that the perpetrators do not have to go through the effort of conducting spam email and phishing campaigns.

However, the latest version uses hard-coded command-and-control nodes. Earlier forms of CryptoLocker had used a domain generation algorithm that enabled them to connect to a much wider range of domains, throwing off security teams that would otherwise just block a few problematic URLs. This change could indicate that P2P CryptoLocker variants may still be in the early stages.

CryptoLocker has infected a quarter of a million PCs

CryptoLocker was identified last September, and since that time it has infected more than 250,000 PCs around the world and collected as many as 1,200 Bitcoins in payment. A variety of organizations have been targeted, including a municipal government in New Hampshire.

The town hall of Greenland, N.H., was hit by a CryptoLocker infection that came through an email purporting to be from a telecom provider. More than eight years' worth of documents were compromised, although fortunately for town officials the most sensitive ones were still available in hard copies kept in a safe.

Staying on top of malware like CryptoLocker requires top-shelf IT solutions. Reboot to restore software allows IT administrators to centrally and securely manage endpoints. If a configuration seems off or a device appears as though it has been infected with malware, the administrator can reboot it to get it back to a clean state. With guaranteed recovery of workstations and great flexibility for managing Windows updates, these solutions ensure that operations continue as normal.