A Pod of 'Crypto-clone' Ransomware Spawns in 2014

CryptoLocker's success has spawned similar attacks using its techniques
CryptoLocker's success has spawned similar attacks using its techniques

AppRiver uncovered the trend in its Q1 Global Security Report, which bears out a prediction the firm made at the end of last year that there would be myriad copycat ransomware campaigns using cryptography as a means to hijack victims’ data.

In 2013, CryptoLocker started making the rounds, notable for its tactic of taking control of targets and instead of immediately alerting the victim as to what was going on, it would simply encrypt every important file on the PC with a unique private key only known to the attackers. Once it finished, which at times could take several days depending on the amount of data, CryptoLocker would display its ransom note. It also featured a timer that let the target know how long they had until the private key was destroyed and all of the data on that machine would be gone forever.

“According to many reports, those who paid up actually got their data back, but others said the bad guys just never responded nor took the ransom,” said senior security analyst Troy Gill, writing in the report. “That suggests they were just too busy or they felt a little heat from authorities and were backing down to play it safe. The one thing that really set CryptoLocker apart from other forms of ransomware in the past is that once that data was encrypted, there was practically a 0% chance of recovering any of it without dealing with the attackers and paying the ransom.”

With such an effective approach, it was only a matter of time before CryptoLocker's success would spawn similar attacks using its techniques.

Interestingly, one fraudster in the underground forums apparently tried to out-scam the scammers.

“We had barely finished writing [the prediction] when news of a new, more powerful data encrypting ransomware package was being hyped on the underground forums,” Gill said. “This one went by the name of PrisonLocker. The person claiming to be the developer of Prison Locker began touting his amazing new software and its features with the promise of ‘coming soon’ in all his posts. There was also a pre-sale price of $1,000 US for the up-and-coming software.”

However, the product never emerged, and admins began removing all of his posts across several different black-market forums – likely not before a few hackers fell for the ruse and paid the $1,000.

Regardless, new versions of this ransomware have emerged, including a few that are traveling over networks without the need to be executed by more than one victim. To be safe, users should deploy a cold or offline backup for their files.

Gill also warned that businesses that use online cloud services for their backups should check to see how CryptoLocker might affect their service. Many of these services run silently in the background and as they see a file change on the local machine they immediately backup the new file to the cloud. The problem here is that when CryptoLocker encrypts a file, the service might simply notice a change and immediately backup up the newly encrypted file and overwrite the original.

“Some unfortunate victims tried to recover from CryptoLocker by using their cloud backups only to find unusable encrypted versions. A service with multiple, database backups should prevent that problem,” Gill said. 

Elsewhere in the report, the company analyzed all of the web and email-borne threats and malware trends that its platforms traced between January and March 2014, screening more than 14 billion messages. Out of those, nearly 10.9 billion were spam and another 490 million contained malware.

Once again, the US was the leading country of origin for spam email messages, and Europe logged the second-highest total with Spain, Germany and Italy making up the top three countries. January was a record-breaking month for malware traffic since 2008, with one in every 10 pieces of email being malicious.

“Keep yourself informed and watch out for some of the common flaws that these malware campaigns employ, such as addressing people by their email as opposed to their actual names,” said AppRiver security analyst Fred Touchette. “Oftentimes generalities are used in the greeting with no names at all. That’s a big red flag, especially when the content appears so personal. If there are any questions as to the legitimacy of any email, contact the supposed sender directly to authenticate.”

Aside from the CryptoLocker copy cats, other top stories for the quarter were HMRC, IRS and National Institute for Health and Excellence being used as covers for several attacks and scams, and the botnet Asprox, one of the most active so far this year.

What’s hot on Infosecurity Magazine?