It seems like forever, but actually it was only the end of last year that we were writing about CryptoLocker which had pretty much redefined the ransomware landscape. Now this particular threat market is morphing again with the discovery of onion crypto ransomware.

Also known as Critroni, and CTB-Locker for what it's worth, the ransomware has been openly available (if you'll excuse the contradiction) on the underweb dark market for a few weeks now. However, this last week it has emerged in the wild being dropped by something called the Angler exploit kit. So why is this such a change in the ransomware attack methodology? Mainly, researchers are telling us, because it uses the anonymous Tor network in order to hide the command and control centers.

CryptoLocker upped the anti by encrypting files on the target computer, persisting across reboots and also encrypting backups on connected networks. It also demanded the ransom in Bitcoin in order to, the victim would hope, release a key for decryption. When the Gameover Zeus malware operation was successfully taken down by law enforcement agencies from the US and Europe, it looked like CryptoLocker was dead in the water as this was a key distribution channel. It should come as no surprise, and is likely no coincidence, that at exactly the same time the first instances of underground marketing for Critroni were spotted by security researchers. Now emerging from the Russian enclave where it was first tested out, Critroni/Onion sells for 'just' $3000 and is being seen in a diverse range of attack scenarios including via spambot installations being dropped by Angler.

Like CryptoLocker before it, the ransomware will encrypt a bunch of files including those which often have the most perceived value within the consumer market (targeted as they are less likely to be security savvy)such as photos, music and documents. Like CryptoLocker, the ransom demand is in Bitcoin and currently stands at 0.5 BTC or $300 give or take.

Unlike CryptoLocker, Critroni/CTB-Locker/Onion (call it what you will) uses the Tor network to operate the command and control infrastructure. In itself this is not new, as some banking Trojan malware has somewhat ironically been spotted operating covertly on Tor in recent months, however it is thought to be the first time that a crypto-ransomware threat has used it. The executable for getting that Tor connection is embedded in the body of the ransomware, rather than in an accompanying Tor.exe file according to Kaspersky researchers who have been doing much of the digging. This would suggest that, from a programming perspective, the people behind it are actually quite accomplished.

See here for a detailed analysis of the threat.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

4 Years
Discussion Span
Last Post by iamthwee

Evil side: I like the idea of using Tor to control malware. It's more convieneint then using public wifi, usenet, Pastebay, etc...

Good"er" side: Back your stuff up (off site)! Randsomware, harddrive failure, fire, theft, etc... are all dangerous.


Ever since I moved to linux I've not had to deal such issues. I haven't reformatted my machine in at least two years.

Votes + Comments
You see fan of formating ;)
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.