Author:- Catalin Cimpanu
MalwareHunterTeam has discovered a new ransomware family that calls itself CryLocker and abuses legitimate services such as Google Maps, Imgur, and Pastee.
Researchers first spotted this ransomware towards the end of August, when they noticed something peculiar about its mode of operation, meaning the usage of UDP packets instead of TCP and several connections made to legitimate sites.
After further analysis, researchers discovered that CryLocker was infecting users and locking a large number of file types. Instead of sending all information to remote C&C servers, the ransomware was encoding this data as a PNG file, which they later uploaded to Imgur, or Pastee if Imgur didn’t respond.
“Over 10,000 users infected with CryLocker”
“Although the PNG file has a valid file header, it does not contain an image but the system information as ASCII strings,” Trend Micro researchers discovered.
MalwareHunterTeam told Softpedia that he found PNG images inside CryLocker’s Imgur album for over 10,000 victims, but mysteriously not from US or UK victims.
Trend Micro also says that the ransomware is hardcoded to avoid execution on PCs that use keyboard layouts specific to languages such as Belarusian, Kazakh, Russian, Sakha, Ukrainian, and Uzbek.
“CryLocker spread via exploit kits”
In its early stages, CryLocker also used the name Central Security Treatment Organization Ransomware, but this changed in versions released after September 5, the date at which it also shifted from using the RIG exploit kit to the Sundown exploit kit.
The name Central Security Treatment Organization is still used on CryLocker’s Tor-based payment site, which is down at the time of publishing.
When displaying ransom notes on the user’s PC, CryLocker changes their desktop but also leaves ransom notes in .txt and .html formats.
“Ransomware intimidates users by showing their location on a map”
The ransomware author asks 1.1 Bitcoin (~$630) to unlock the user’s files. The ransomware also gathers local WiFi network details and shows the user’s location on the globe using Google Maps, no doubt to intimidate them.
All files locked by CryLocker are appended with the .cry file extension. There’s no free decrypter available at this time that would allow users to recover their files for free.
Recovery via shadow volume copies is not possible because the ransomware deletes them after encrypting files. CryLocker is different from other ransomware because it first copies the files, encrypts them, and then deletes the originals. Most ransomware variants just try to encrypt the original.
Technical analysis on the ransomware’s mode of operation is available in reports from Trend Micro, and from a team of researchers that includes MalwareHunterTeam, Lawrence Abrams, and Daniel Gallagher.