Worryingly, CryptoLocker ransomware turns from a Trojan… into a worm

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

CryptoLocker wormAs if CryptoLocker wasn’t causing enough problems by infecting and locking thousands of innocent users’ Windows computers, security researchers have discovered a new variant of the ransomware that takes its propagation to a new level.

As Trend Micro describes, new versions of CryptoLocker have been seen that have wriggled out of its Trojan horse form, and adopted the skin of a USB-spreading worm instead.

Up until this, CryptoLocker couldn’t travel under its own steam. You would encounter it by opening an email attachment or clicking on a link perhaps claiming to come from your bank or a delivery company.

However, the new version can spread between removable drives – posing as activation keys for tools such as Adobe Photoshop and Microsoft Office, seeded on P2P file-sharing networks.

Sign up to our free newsletter.
Security news, advice, and tips.

That means, of course, that the bad guys behind this new variant don’t have to blast out a spam email campaign to spread their malware. And, it might make it easier for CryptoLocker to infect PCs across your organisation.

According to Trend Micro’s researchers, however, there is some good news about the current worm version of CryptoLocker:

Further analysis of WORM_CRILOCK reveals that it has a stark difference compared to previous variants. The malware has foregone domain generation algorithm (DGA). Instead, its command-and-control (C&C) servers are hardcoded into the malware. Hardcoding the URLs makes it easier to detect and block the related malicious URLs. DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains.

You can learn more about the new version of the CryptoLocker malware, in this Trend Micro blog post.

Make sure that you follow safe computing practices and are careful about what you run on your computers, and don’t forget to keep your anti-virus updated and your wits about you.

Further reading: CryptoLocker: What is it? And how do you protect against it?


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Worryingly, CryptoLocker ransomware turns from a Trojan… into a worm”

  1. Richard Steven Hack

    I suspected something like this was coming.

    Cryptolocker has been massively profitable to the malware authors. Massive profit leads to capital investment by others.

    Expect more and worse versions.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.