Skip to main content

Cryptolocker Ransomware Evolves to Spread on Its Own

The notorious Cryptolocker ransomware, which strongly encrypts victims' hard drives until a ransom is paid, has taken a turn for the worse — it's evolved from a Trojan into a worm.

This means the uncrackable malware can now propagate itself, rather than relying on gullible humans to open infected email attachments or point their browsers at corrupted Web pages.

"This update is considered significant because this routine was unheard of in other CRILOCK variants," wrote security firm Trend Micro in a recent blog posting, using the company's own name for the malware. "The addition of propagation routines means that the malware can easily spread, unlike other known CRILOCK variants."

MORE: 5 Free PC Security Programs Worth Downloading

The bug seems to have been re-engineered to spread via USB flash drives and PCs in a two-step process, much in the way bubonic plague was spread among humans and fleas.

Greed plays a part as well; the new variant lurks on file-sharing sites, pretending to be an "activator" that verifies pirated copies of Adobe Photoshop and Microsoft Office.

Victims trying to get those paid software products for free will run the "activators," infecting themselves and copying the malware onto any USB drives that are subsequently plugged into their machines. (So far, Cryptolocker infects only Windows PCs.)

There is a silver lining, although it may be temporary. While older versions of Cryptolocker used domain-generation algorithms (DGAs) to constantly move their command-and-control servers from one Web domain name to another, this new variant uses fixed control-server domains, making them easier for anti-virus software to block.

"This could mean that the malware is still in the process of being refined and improved upon," Trend Micro noted. "Thus, we can expect latter variants to have the DGA capability."

Trend Micro has posted a useful FAQ for readers worried about Cryptolocker. Good anti-virus software should also block most variants.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.