UPDATE: A new strain of ransomware known variously as Cry or CryLocker has emerged, and it’s using a few novel techniques, including communicating via UDP and using the Google Maps API to find victims’ locations.
Researchers at the MalwareHunterTeam discovered the CryLocker ransomware and analyzed its behavior, with the help of Lawrence Abrams of Bleeping Computer and Daniel Gallagher. They found that the malware will encrypt a long list of file types and then display a screen to the victim with a logo from the fictional Central Security Treatment Organization that demands a payment of $625 for the decryption key, payable on a Tor site. After the initial infection, the Cry ransomware will gather a bunch of information about the victim’s computer and send it off to a C&C server over UDP.
“When a victim is infected, the ransomware will compile a variety of information such as the Windows version, the service pack installed, the Windows bit-type, the user name, the computer name, and the type of CPU installed in the computer. This information will then be sent via UDP to [4095] different IP addresses, with one of them being the ransomware’s Command & Control server. The use of UDP packets is probably being done to obfuscate the location of the Command & Control server so that authorities cannot seize it,” Abrams wrote in an analysis of the ransomware.
Abrams said in an email to On the Wire that Cry broadcasting the victim’s information to so many IP addresses is a way to cloak the location of the C&C server.
“Communicating with the Command & Control server via UDP to a large range of hosts is to obfuscate the location of the C2 server,” he said.
Cry also takes the information it’s gathered about the infected computer and uploads it to a specific album on Imgur. The data is compiled into a phony PNG image before it’s sent to Imgur, which then assigns an ID for the file. That name is then sent to those same 4095 IP addresses, Abrams said. Cry also creates a randomly named task that runs whenever the victim logs into Windows on an infected machine, a method for maintaining persistence.
The other unique characteristic of the Cry ransomware is the use of the Google Maps API to try and locate victims geographically. Abrams said that after infection, the ransomware will get a list of wireless network SSIDs that are nearby and then use the Google Maps API to get the physical location of those networks.
“It is unsure what this is currently being used for, but this information could be used to generate an image of the victim’s location using Google maps. This could then be used to further scare the victims into paying the ransom,” Abrams said.
The use of Google Maps to physically locate victims’ machines is a worrying development in the evolution of ransomware. The loss of valuable data is bad enough, but having to worry about the cybercriminals knowing where their victims live or work is even more concerning.
This story was updated on Sept. 8 to add comments from Abrams.