Lying in wait
However, there are advantages to these changes. Using hard-coding is simpler while spreading from P2P sites is a way of remaining less visible than would be the case when using a flood of phishing emails.
Most interesting and perhaps revealing of all, Crilock.A adds the capability to infect removable drives. The worm technique is longstanding, and infecting drives may slow its spread but does ensure a degree of longevity. On the other hand, while Crilock.A can hide on drives for years to come, by the time it activates it will probably detected by most security programs.
This whole strategy speaks of an opportunist gang that has hijacked (reverse engineered) the malware to hit a small but global target that has something valuable to protect—files shared illegally via P2P. This group is for obvious reasons also less likely to raise a complaint with police.
Just for added spice, the variant adds other sneaky abilities, including launching a component to launch DDoS attacks, steal Bitcoin wallets, and even launch a Bitcoin-mining tool.
ESET has published a full list of the differences between Cryptolocker and Crilock.A/Cryptolocker 2.0 on its website, including noting the eccentric use of the more compute-intensive 3DES encryption format rather than more conventional AES.
In the same week Cryptolocker 2.0 was detected before Christmas, Dell SecureWorks published its estimate that the original version of the programme had infected around 200,000 to 300,000 PCs in 100 days. Around 0.4 percent of these victims probably paid the demanded ransom of around $300 in Bitcoins or via MoneyPak.