If last year’s ransomware story was all about CryptoLocker, this year it seems to be variations on the same theme. A new piece of extortion-ready malware, dubbed Critroni, is making its way out of the Dark Web into the wild.
Advertised since the middle of June in underground forums, the “CTB-Locker (Curve-Tor-Bitcoin Locker)” bug (now flagged as Critroni) goes for $3,000 per month in an as-a-service model, which includes free support. Extending that support costs $300 per month. And, as a French researcher known only as “Kafeine” noted, “You can freely use the system after the end of support to launch new server generated lockers. You will only be limited in future updates.”
In 2013, CryptoLocker started making the rounds, notable for its tactic of taking control of targets and, instead of immediately alerting the victim as to what was going on, it would simply encrypt every important file on the PC with a unique private key only known to the attackers. Once it finished, which at times could take several days depending on the amount of data, CryptoLocker would display its ransom note. It also featured a timer that let the target know how long they had until the private key was destroyed and all of the data on that machine would be gone forever. The idea was so ingenious that it has spawned several “Crypto-clones” as well as other ransomware, like Critroni, that use a similar private key mechanism.
Kafeine said that there are multiple instances of Critroni in the wild; it began life as a Russian-speaker-focused scourge, but has recently expanded its language support to include English and is therefore showing up in more places. It uses the Angler exploit kit and is following in the footsteps of other malware samples by using Tor to cover its tracks.
“It uses C2 hidden in the Tor network. Previously we haven’t seen cryptomalware having C2 in Tor. Only banking trojans,” Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, told Threatpost. “Executable code for establishing Tor connection is embedded in the malware’s body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware’s body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general.”