Cryptolocker has at least one copycat, what MSPs need to know

Posted by Manny Veiga on Jan 20, 2014 1:46:00 PM

Find me on:

One of the newest strains of malware, cryptolocker, is proving to be an even more dangerous version of its ransomware predecessors, forcing businesses to pay a ransom or abandon their data encrypted and unrecoverable. Even more worrisome is the belief among some experts that there's a cryptolocker copycat sneaking its way around the internet.

New iteration worming its way into computers              
A new cryptolocker variant called WORM_CRILOCK.A can spread to other computers through remote drives, Trend Micro reported. There are a few other big differences between this copycat and the original cryptolocker, including its reliance on peer-to-peer file sharing sites rather than on downloads to infect systems.cryptolocker copycat

This cuts out the dependence on spam emails, which are more easily avoided by potential victims and what the original cryptolocker relied on, by cyber criminals. Instead, on P2P sites, the newest version can pose as highly desirable software systems for download, including Adobe PhotoShop and Microsoft Office.

A recent article for We Live Security highlights the additional divergences between what it calls cryptolocker 2.0 and the original. These include:

  • In the ransom message, the original cryptolocker uses RSA-2048, compared to the copycat, which uses RSA-1024 (despite claiming to make use of RSA-4096)
  • The original cryptolocker displays a countdown timer for the ransom-payer, whereas 2.0 only displays the deadline by which the encryption key will be deleted
  • Cryptolocker 2.0 will only accept payment in Bitcoins.

So what can MSPs do to help clients prevent becoming the latest victim of cryptolocker or subsequent versions?

To start, you can check out a replay of our recent cryptolocker webinar, in which our in-house experts Paul Hanley and Nathan Bradbury shared best practices that can help protect you from any malware infection. Chief among those defenses: offsite backup.

On top of that, our Partner Support Engineer Josh Berkowitz-Geller explains that IT professionals can take a few steps to protect systems from this specific cryptolocker copycat.

"IT professionals should be sure to use antivirus software that scans for removable drives, and be as careful as ever when retrieving software files over torrenting," Berkowitz-Geller recommends. "Tech professionals should already be careful to look for legitimate and official torrents for software that permits this as a distribution method, and direct downloads from official sites and mirrors when these are the only options."

Remind your clients that regardless of how they move data between computers, any method is a potential vector for infection. Having a comprehensive security system in place is key to warding off attack, infection and being held hostage, in addition to maintaining robust encrypted data backup. This way, no matter what happens, data will remain safe.

Cryptolocker Intronis webinar


Topics: Malware

Which Data Loss Gremlin Is Targeting You
MSP Health Check
MSP Phishing Quiz
Intronis Local Lunches
MSP Marketing Assessment