Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Critroni: First File-Encrypting Ransomware to Use Tor

A new file-encrypting piece of ransomware advertised on underground forums since mid-June is being increasingly used by cybercriminals, a security expert reported last week.

A new file-encrypting piece of ransomware advertised on underground forums since mid-June is being increasingly used by cybercriminals, a security expert reported last week.

The threat, dubbed “CTB-Locker” and detected as Critroni.A by Microsoft, was initially used against Russian-speaking users, but according to French researcher known as Kafeine, an English version has also been launched recently. The name CTB, which stems from Curve/Tor/Bitcoin, describes some of the key advantages of using this piece of ransomware.

The malware developers claim that the elliptic curve cryptography that’s used to encrypt victims’ files makes it impossible to decrypt them without paying the ransom. The Tor anonymity network is utilized to hide the malware’s command and control (C&C) servers in order to make operations more difficult to disrupt and to protect the identity of the owner, the developers of Critroni said.

According to ThreatPost, this is the first crypto ransomware that uses Tor to protect C&C servers, a technique usually seen in banking Trojans. Furthermore, unlike other threats that rely on the anonymity network, the Tor components are embedded in the malware’s body to make it more efficient and to help it avoid detection, said Kaspersky Senior Malware Analyst Fedor Sinitsyn.

Kaspersky Lab has analyzed the threat, which it has dubbed “Onion Ransomware,” and plans on publishing a detailed report on it in the upcoming days.

The cybercriminals claim they’re creation uses Bitcoin for ransom payments because the “purse is impossible to block and remove,” and since the loot isn’t stored on the server, it isn’t lost even if something happens to the server.  The malware authors advise customers to demand 0.5 Bitcoin ($310) from victims in the US, Canada and Europe, and 0.25 Bitcoin ($155) for other regions. However, they point out that customers can set any ransom fee they want.

Critroni is currently being sold for $3,000, which includes free support. However, extended support costs an extra $300 per month.

Kafeine, who has spotted multiple instances of the ransomware in the wild, says the threat is sometimes distributed as a second stage payload by the Angler exploit kit.

Advertisement. Scroll to continue reading.

Users whose computers are infected with Critroni are given 72 hours to pay the ransom. After the time runs out, victims are informed that the “locker” will remove itself from the system and that their files could be lost forever.

CryptoLocker, the most successful file-encrypting ransomware, was disrupted by law enforcement authorities at the beginning of summer. However, the rise of threats like Critroni demonstrates that cybercriminals are not ready to give up on such operations, most likely because they can be very profitable. As far as CryptoLocker is concerned, communications between infected devices and the botnet were cut off as a result of the recent operation, but researchers say its infrastructure is currently used for other threats.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.