Security researchers have warned of a newly discovered strain of ransomware using advanced elliptic curve cryptography (ECC) and Tor infrastructure.
First spotted by Trojan7Malware last week, the so-called OphionLocker ransomware is initially spread via a malvertising campaign using the RIG exploit kit.
Once the victim’s files are encrypted using ECC, they will be presented with a pop-up telling them what’s happened, and providing a URL to visit to buy the key to decrypt all files.
“From now on you have 72 hours to pay or the key will be permanently deleted from our server and you won’t EVER get your files back,” the message continues.
According to an F-Secure blog post on the ransomware, multiple text files with the format ENCRYPTED[..].txt are created, which contain a generated Hardware ID for the victim’s machine.
On entering said HWID, the victim will be asked to pay a ransom of 1BTC ($340).
Crucially, OphionLocker uses a Tor2web URL to give the user instructions on how to pay for decryption, making it harder to track and shut down.
Public keys are also pre-packed in the malware so encryption can begin without an internet connection or any input from the user – making it doubly difficult to stop, Trojan7Malware said.
Another quirk of OphionLocker is that if the user is infected in a virtual environment, it will hand over the decryptor for free after the victim enters their HWID. The only catch is that, despite claiming files are decrypted, they aren’t, according to F-Secure.
For the record, ECC is used to maintain maximum security but via the creation of smaller crypto keys and so is frequently used on devices with limited battery life and computing power like mobiles.
OphionLocker isn’t the first ransomware to be spotted in the wild using Tor and ECC; CTB-Locker was also discovered with the same features in August, F-Secure said.
However, it’s yet another example of the increasing lengths to which malware writers are prepared to go to succeed with their campaigns.