CryLocker ransomware is spreading fast. In the past two weeks, the malicious file-encrypting crypto-ransomware variant has infected more than 8,000 computers. According to MalwareHunterTeam researchers, approximately 3,200 individuals had been infected with CryLocker ransomware by September 2, 2016. By September 4, the number had more than doubled with 6,800 confirmed victims. On September 5, there were more than 8,000 victims.
CryLocker ransomware encrypts a very long list of file types, including images, videos, databases, documents, spreadsheets, and project files. Encrypted files are given the .cry extension. Windows shadow copies are also deleted to make it harder for victims to recover their files without paying the ransom. The ransomware also performs a backup of desktop shortcuts, although it is uncertain why the ransomware does this at this point in time.
Once files have been encrypted, a new wallpaper is set which advises the victim that their files have been encrypted with CryLocker ransomware. Victims are told “Cry not, this files can be restored easily.” However, that will come at a cost of 1.1 Bitcoin – around $625.
If payment is not made within the stipulated time frame, victims are warned that the ransom will increase to $1250. Should that second time limit be exceeded, files will be locked forever. Victims are also told that their files have been locked with military-grade encryption.
Instructions are provided to enable the victim to pay the ransom. When they click on the link provided, they are directed to a Tor payment site which claims to be operated by the Central Security Treatment Organization. The payment screen also includes a crest that bears a striking similarity to those used by the CIA and FBI. Specifically, the note comes from the Department of Pre-Trial Settlement. Neither the Department of Pre-Trial Settlement nor the Central Security Treatment Organization are real organizations.
Since the new ransomware variant has only just been discovered and is still being researched, it is currently unclear whether files can be decrypted without paying the ransom. It is also unclear exactly how the victims are infected.
The MalwareHunterTeam, along with Beeping Computer’s Lawrence Abrams, have been analysing the malware. So far, they have determined that CryLocker communicates with its C&C using the User Datagram Protocol (UDP). Photo sharing service Imgur is also used in attacks, as is Google Maps.
A considerable amount of user data is gathered and transferred to the attackers, including details of the victim’s location. The Google Maps’ API is used to gather the Service Set Identifier of packets sent by wireless networks in the vicinity. The WlanGetNetworkBssList function is used to compile a list of wireless networks and SSIDs which determine the location of the victim. It is unclear why this function has been included, but it will likely be used to scare the victim into paying.