It seems like forever, but actually it was only the end of last year that we were writing about CryptoLocker which had pretty much redefined the ransomware landscape. Now this particular threat market is morphing again with the discovery of onion crypto ransomware.
Also known as Critroni, and CTB-Locker for what it's worth, the ransomware has been openly available (if you'll excuse the contradiction) on the underweb dark market for a few weeks now. However, this last week it has emerged in the wild being dropped by something called the Angler exploit kit. So why is this such a change in the ransomware attack methodology? Mainly, researchers are telling us, because it uses the anonymous Tor network in order to hide the command and control centers.
CryptoLocker upped the anti by encrypting files on the target computer, persisting across reboots and also encrypting backups on connected networks. It also demanded the ransom in Bitcoin in order to, the victim would hope, release a key for decryption. When the Gameover Zeus malware operation was successfully taken down by law enforcement agencies from the US and Europe, it looked like CryptoLocker was dead in the water as this was a key distribution channel. It should come as no surprise, and is likely no coincidence, that at exactly the same time the first instances of underground marketing for Critroni were spotted by security researchers. Now emerging from the Russian enclave where it was first tested out, Critroni/Onion sells for 'just' $3000 and is being seen in a diverse range of attack scenarios including via spambot installations being dropped by Angler.
Like CryptoLocker before it, the ransomware will encrypt a bunch of files including those which often have the most perceived value within the consumer market (targeted as they are less likely to be security savvy)such as photos, music and documents. Like CryptoLocker, the ransom demand is in Bitcoin and currently stands at 0.5 BTC or $300 give or take.
Unlike CryptoLocker, Critroni/CTB-Locker/Onion (call it what you will) uses the Tor network to operate the command and control infrastructure. In itself this is not new, as some banking Trojan malware has somewhat ironically been spotted operating covertly on Tor in recent months, however it is thought to be the first time that a crypto-ransomware threat has used it. The executable for getting that Tor connection is embedded in the body of the ransomware, rather than in an accompanying Tor.exe file according to Kaspersky researchers who have been doing much of the digging. This would suggest that, from a programming perspective, the people behind it are actually quite accomplished.
See here for a detailed analysis of the threat.
