JD Sherry, vice-president of technology and solutions for Trend Micro confirms that the malware might be more devastating than the original Cryptolocker since it propagates to other computers and encrypts data. Sherry recorded the following statement with eWEEK:
This is a clear-cut example of something that, whether it is a variant or a copycat, it’s another low-cost channel to deliver malware with the end goal of trying to steal sensitive information, such as banking credentials or getting a ransom.
Ransomware generally locks a computer by making changes to its operating system, which the end user needs to pay to get back unlocked. Cryptolocker meanwhile uses the encryption library files in Windows to render 70 types of files unreadable without a valid decryption key, hence forcing companies which did not take regular backups to pay the premium or else be screwed.
More than 50% Cryptolocker infections are found in United States while ransomware softwares and platforms are finding a major boon in Russia and Eastern Europe since about an year ago. Trend Micro reports that “Cryptolocker 2.0”, the latest version that has hit Internet spreads like a virus on USB drives. The ransomware might not run automatically but copying the executable file propagates the virus through to the victim machines.
Cryptolocker 2.0, which was discovered by ESET on 19 December 2013 is quite different from the original version and uses a weaker encryption algorithm, RSA-1024 even though it claims to use the much stronger RSA-4096. The original version allowed users to pay through most modes of payment while this new variant apparently only allows Bitcoin payment. Additional differences were found by researchers on further analysis. While the original version was coded in Microsoft’s Visual C++, Cryptolocker 2.0 has been written using C#. Moreover, the new version encrypts images, audio and video files whereas the initial one only dealt with business files. The researchers have thus deduced that this variant is only a mere imitation of the first version.
ESET announced the following in a blog post to this effect:
It is unlikely that the malware that calls itself ‘Cryptolocker 2.0’ is actually a new version of the previous Cryptolocker malware from the same authors. The switch from C++ to C# would be something unexpected to say the least, and in any case, none of the key differences can be considered significant improvements.