Onion crypto-ransomware now using Tor network


It seems like forever, but actually it was only the end of last year that we were writing about CryptoLocker which had pretty much redefined the ransomware landscape. Now this particular threat market is morphing again with the discovery of onion crypto ransomware.

Also known as Critroni, and CTB-Locker for what it's worth, the ransomware has been openly available (if you'll excuse the contradiction) on the underweb dark market for a few weeks now. However, this last week it has emerged in the wild being dropped by something called the Angler exploit kit. So why is this such a change in the ransomware attack methodology? Mainly, researchers are telling us, because it uses the anonymous Tor network in order to hide the command and control centers.

CryptoLocker upped the anti by encrypting files on the target computer, persisting across reboots and also encrypting backups on connected networks. It also demanded the ransom in Bitcoin in order to, the victim would hope, release a key for decryption. When the Gameover Zeus malware operation was successfully taken down by law enforcement agencies from the US and Europe, it looked like CryptoLocker was dead in the water as this was a key distribution channel. It should come as no surprise, and is likely no coincidence, that at exactly the same time the first instances of underground marketing for Critroni were spotted by security researchers. Now emerging from the Russian enclave where it was first tested out, Critroni/Onion sells for 'just' $3000 and is being seen in a diverse range of attack scenarios including via spambot installations being dropped by Angler.

Like CryptoLocker before it, the ransomware will encrypt a bunch of files including those which often have the most perceived value within the consumer market (targeted as they are less likely to be security savvy)such as photos, music and documents. Like CryptoLocker, the ransom demand is in Bitcoin and currently stands at 0.5 BTC or $300 give or take.

Unlike CryptoLocker, Critroni/CTB-Locker/Onion (call it what you will) uses the Tor network to operate the command and control infrastructure. In itself this is not new, as some banking Trojan malware has somewhat ironically been spotted operating covertly on Tor in recent months, however it is thought to be the first time that a crypto-ransomware threat has used it. The executable for getting that Tor connection is embedded in the body of the ransomware, rather than in an accompanying Tor.exe file according to Kaspersky researchers who have been doing much of the digging. This would suggest that, from a programming perspective, the people behind it are actually quite accomplished.

See here for a detailed analysis of the threat.

About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Hiroshe 499 Posting Whiz in Training

Evil side: I like the idea of using Tor to control malware. It's more convieneint then using public wifi, usenet, Pastebay, etc...

Good"er" side: Back your stuff up (off site)! Randsomware, harddrive failure, fire, theft, etc... are all dangerous.

iamthwee 1,547 Banned Featured Poster

Ever since I moved to linux I've not had to deal such issues. I haven't reformatted my machine in at least two years.

boyans commented: You see fan of formating ;) +0
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.