Security Professionals Discovered New Variant of CryptoLocker Ransomware Trojan in the Wild

Softpedia.com reported on 21st June, 2014 stating that a modification of the notorious CryptoLocker ransomware has been identified in the wild which doesn't rely on 2048-bit RSA encryption and also doesn't communicate with a command and control server.

Although law enforcement agencies has given a heavy blow to GameOver Zeut botnet which has been used by cyber crooks to dispense CryptoLocker ransomware, variants of file-encrypting ransomware are still floating on the Internet.

Fakebit website shows via a post the study of a CryptoLocker infection instructing the victim to access a spot in the Tor network to collect details about ransom payment.

The ransomware appears to encrypt information on the infected machine with the help of an encryption method which is weaker than the original and it can be probably busted to reclaim access to the locked files.

Softpedia.com published news on 21st June, 2014 quoting the researcher as saying "The constant 0x9e3779b9 is occurring at numerous points of the encryption function, looks to be important. A web search for this constant show that it's a magic number usually used in the Tiny Encryption Algorithm (TEA)."

However, the risk of data encryption still exists with this malware. The things affected
from executables and files of multimedia (like image, audio and video) to documents and electronic books; their extension is toggled to CRYPTOLOCKER.

Moreover, the malware was analyzed and found competent of decrypting the files on the filesystem. There are strings which look to be prompt and respond for decryption password input.

The researcher patched the binary instructing the execution of the decryption function and removed the CRYPTOLOCKER extension to unlock the data which proved that Trojan doesn't use an asymmetric cipher.

Copycat ransomware (like the above one) will emerge more as the year goes on. Legal agencies advocate not paying any ransom money in an attempt to put off the criminal practices as also you are not sure that they will keep their word and provide you decryption even after paying the ransom. However in some cases where backups are not available and hard work for months might be lost, it may be worthwhile to do it anyway.

» SPAMfighter News - 6/28/2014