Ransomware goes to TOR,aims to eclipse infamous Cryptolocker

A new version of file-encrypting malware hides its sever inside an anonymous TOR network, making it safer for criminals to extort money from victims.

You are probably already aware of recent cybercriminal development, namely encrypting ransomware. This kind of malware doesn’t try to hide from users; instead, a locker encrypts user’s documents using strong cryptography and demands ransom for decryption. Infamous examples of his malware family are Cryptolocker and CryptoWall, among others. Unfortunately, this criminal scheme proved profitable, so new, stronger and more efficient types of encrypting Trojans emerged. We are here to warn you of the “Onion” ransomware (aka CTB-Locker), which uses anonymous TOR (The Onion Router) network and Bitcoins to better protect criminals, their funds and keys to victims’ files from law enforcement.

By using TOR, criminals make it harder to trace their activity and seize malware control servers. Using Bitcoins, an anonymous cryptocurrency, as the exclusive payment option, makes following the money complex too. What does it mean for ordinary users? Criminals will likely be able to use this malware for a long time. In addition, the malware is being sold on underground forums and attracted international attention. That’s why we expect further infections in other regions, especially in the U.S., UK and others, that have proven to be good “markets” for ransomware.

The Onion Locker is technically a sophisticated malware that acts silently until all user’s documents are encrypted. Only then it uploads key-related data to its control server via TOR and displays a warning with a 72-hour countdown. The victim is offered to pay 0.2-0.5 Bitcoins (120-350 USD) to receive a decryption key. If s/he fails to pay in 72 hours, the key (and all encrypted files) can be considered lost.  To be “helpful”, criminals give some tips on Bitcoin buying and provide an instruction for the case when a user must buy the key from another computer.

“Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there,” said Fedor Sinitsyn, Senior Malware Analyst at Kaspersky Lab.

The malware is currently being distributed using classical criminal means: web pages with exploit kits initiate Trojan downloads to a victim’s computer, then this Trojan downloads The Onion encryptor. More detailed analysis is available on Securelist.com

Avoiding The Onion locker and other types of encrypting ransomware

To prevent your computer from being infected, regularly update critical software components on your computers: an operating system, a browser and all add-ons (media players, Java, PDF readers and so on). In addition, a strong Internet Security solution is advised. By the way, a recent version of Kaspersky Internet Security has dedicated technologies to counter encrypting ransomware.

To be able to restore your data after any disaster, be it a ransomware attack, theft or flood, the regular backup to a safely stored removable media is crucial.

Tips