Last Wednesday, we reported about this new strain of ransomware called "Cry" or "CryLocker" that encrypts your data with the .cry extension and it inexplicably harvests your location data from Google Maps and pastes an image of sharing site Imgur too.
Now, we know what kind of image file it uses to post on the site and the reason why this ransomware is doing it.
While almost all ransomware variants simply send the victim's information directly to the attacker's Command and Control (C&C) servers, CryLocker uses Portable Network Graphic (PNG) image files to document the victim's information, such as the location and the list of encrypted files and then uploads the picture directly to an album within public image sharing sites like Imgur.
Why are the ransomware's masters employing such middle-man tactics you might ask? Security researchers are saying this is in order to further hide the attackers' location and identities.
Security researchers say that it is another step in their smoke-and-mirrors strategy in case they have to change their C&C IPs around. A PNG file containing the victim's information is uploaded to an Imgur each time a new victim is infected. This image gets a unique file name and is broadcasted to the 4096 IP addresses it uses (hidden among these IPs is the real C&C server). This way a record of the victim will always be accessible.