New details are emerging about a new Tor- and key-based encryption ransomware, dubbed Critroni.
The extortion-ready malware, also known as the Onion or the CTB-Locker (Curve-Tor-Bitcoin Locker) bug, has been advertised since the middle of June in underground forums. It goes for $3,000 per month in an as-a-service model, which includes free support. Extending that support costs $300 per month.
Kaspersky has filed a thorough analysis of the Onion noting its highly sophisticated nature.
“Technical improvements to the malware have made it a truly dangerous threat as one of the most sophisticated encryptors today,” said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, in the analysis. “It is a new breed of encryption ransomware that uses a countdown mechanism to scare victims into paying for decryption in Bitcoins. The cybercriminals claim there is a strict 72-hour deadline to pay up, or all the files will be lost forever.”
As such, Critroni is the successor to other encryption-based malwares like CryptoLocker and CryptoWall. However, to transfer secret data and payment information, the Onion communicates with command and control servers located somewhere inside the Tor anonymous network. Kaspersky noted that its researchers have previously seen this kind of communication architecture, when used by a few banking malware families such as 64-bit ZeuS enhanced with Tor.
“Now it seems that Tor has become a proven means of communication and is being utilized by other types of malware,” said Sinitsyn. “The Onion malware features technical improvements on previously seen cases where Tor functions were used in malicious campaigns. Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there.”
Kaspersky has uncovered that for the Onion malware to reach a device, it first goes via the Andromeda botnet. The bot then gets a command to download and run another piece of malware from the Joleee family on the infected device. The latter malware then downloads the Onion malware to the device.
As far as geographic distribution, the malware uses a Russian-language interface and most likely hails from the Great Bear. Most attempted infections have been recorded in the Commonwealth of Independent States (CIS), which is the alliance of 12 of the 15 former Republics of the Soviet Union (Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldava, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan). However, individual cases have been detected in Germany, Bulgaria, Israel, the UAE and Libya.
As always, the best way to ensure the safety of critical data from this type of attack is a consistent backup schedule.
“Backup should be performed regularly and, moreover, copies need to be created on a storage device that is accessible only during this process (e.g., a removable storage device that disconnects immediately after backup),” recommended Sinitsyn. “Failure to follow these recommendations will result in the backed-up files being attacked and encrypted by the ransomware in the same way as the original file versions.”