Leave a comment

Top Story: New ransomware posts your personal data online

Top Story: New ransomware posts your personal data online

Last Wednesday, we reported about this new strain of ransomware called "Cry" or "CryLocker" that encrypts your data with the .cry extension and it inexplicably harvests your location data from Google Maps and pastes an image of sharing site Imgur too.

Now, we know what kind of image file it uses to post on the site and the reason why this ransomware is doing it.

While almost all ransomware variants simply send the victim's information directly to the attacker's Command and Control (C&C) servers, CryLocker uses Portable Network Graphic (PNG) image files to document the victim's information, such as the location and the list of encrypted files and then uploads the picture directly to an album within public image sharing sites like Imgur.

Why are the ransomware's masters employing such middle-man tactics you might ask? Security researchers are saying this is in order to further hide the attackers' location and identities.

Security researchers say that it is another step in their smoke-and-mirrors strategy in case they have to change their C&C IPs around. A PNG file containing the victim's information is uploaded to an Imgur each time a new victim is infected. This image gets a unique file name and is broadcasted to the 4096 IP addresses it uses (hidden among these IPs is the real C&C server). This way a record of the victim will always be accessible.

If the Imgur upload fails, CryLocker will attempt to post the information to pastee.org instead. Ultimately, if both the Imgur and pastee.org uploads fail, the information is just relayed directly to the same 4096 IP addresses using UDP port 4444. Researchers say that they chose the UDP protocol to further hide the C&C server's real address.

Other user information said to be gathered by CryLocker include the Wi-Fi Access Point used by the target machine, the keyboard layout and also the system's language.

Interestingly, CryLocker will not activate if it detects the following languages: Russian, Kazakh, Belarusian, Sakha, Ukranian and Uzbek. This highly suggests that CryLocker originates from Russia or another country from the Commonwealth of Independent States.


Next Story
Source: Trendmicro
View Comments ()
Smartphones being banned from flights
Previous Happening Now

Smartphones being banned from flights

Brainteaser: Can you spot the dog hidden among a herd of cows?
Next Happening Now

Brainteaser: Can you spot the dog hidden among a herd of cows?