ESET reported that malware branded "CryptoLocker 2.0" is likely not a new version of the original CryptoLocker but a separate copycat ransomware family using the name for credibility and profit. The company said the threat, detected as MSIL/Filecoder.D and MSIL/Filecoder.E, still encrypts victim files with public-key cryptography and demands payment, but differs substantially from the original in its programming language, encryption workflow, command-and-control behavior, ransom process, and the types of files it targets. Unlike the original CryptoLocker, the newer strain was written in C#, targets a broader set of consumer media files, stores encrypted keys in separate .k files, and accepts ransom payments only in Bitcoin.
Researchers said the malware also carries broader trojan functionality beyond file encryption. ESET observed samples masquerading as software cracks, spreading through removable media, stealing Bitcoin wallets, launching BFGMiner, and potentially supporting DDoS activity. The company warned that, despite being a copycat rather than the original operation, the malware can still cause serious damage to victims who lack reliable backups, and it urged users to maintain current backups and updated security protections.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Beyond file encryption, ESET observed capabilities including masquerading as software cracks, spreading via removable media, stealing Bitcoin wallets, launching BFGMiner, and potentially conducting DDoS attacks. ESET warned that the malware could still seriously harm victims without backups.
ESET reported that the newer malware differed substantially from the original CryptoLocker in programming language, encryption workflow, ransom payment options, targeted file types, and command-and-control behavior. It was written in C#, stored encrypted keys in separate .k files, targeted a broader set of consumer media files, and accepted only Bitcoin.
ESET analyzed a ransomware family calling itself 'Cryptolocker 2.0' and concluded it was probably not a new version of the original CryptoLocker but a separate copycat operation using the name for criminal profit. The malware was detected as MSIL/Filecoder.D and MSIL/Filecoder.E.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
1 reference tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.