Security Experts:

CTB-Locker Ransomware Uses Unusual Cryptographic Scheme: Kaspersky

After analyzing a recently discovered piece of ransomware called CTB-Locker (Critroni), security researchers from Kaspersky Lab have determined that the threat has a number of features that separate it from many other forms of malware.

According to the security firm, which detects this malware family as Trojan-Ransom.Win32.Onion, CTB-Locker developers have used some techniques that have been proved to be successful by other file encryptors, but there is also some functionality that has not been seen before.

After infecting a computer, the malware searches fixed, removable and network drives for certain file types, which it encrypts to make them inaccessible to the victim. Then it displays a window that informs the user that his/her files have been encrypted, and that they can only be recovered if a ransom is paid in Bitcoin. To make sure the victim doesn't miss the ransom demand, an image file containing instructions on how to recover the files is set as the desktop background.

While this is typical behavior for file encryptors, the cryptographic scheme and command and control (C&C) communications are different from what has been seen so far, Kaspersky said.

CTB-Locker uses the Tor anonymity network to communicate with its C&C server,  which is not uncommon for other types of malware, but it is for ransomware.

"Although some of the ransom Trojans from families detected earlier demanded that the victim visit a certain site on the Tor network, the malware discussed here supports full interaction with Tor without the victim's input, setting it apart from the others," Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, explained in a blog post.

Furthermore, unlike other threats that have used Tor for C&C communications, Trojan-Ransom.Win32.Onion doesn't rely on tor.exe, a legitimate application that can be downloaded from the official Tor website. Instead, cybercriminals have taken advantage of the fact that Tor is an open source project and they've implemented the code needed for interaction with the anonymity network as part of the malicious code.

Until recently, ACCDFISA has been the only piece of ransomware that compresses files before encrypting them. The threat simply adds targeted files to a password-protected archive created with the WinRAR application. CTB-Locker also compresses files, but it does this in a more sophisticated manner. First, it moves the user's file to a temporary file, which it reads from the disk block-by-block. Then, each of these blocks is compressed using the compression software library Zlib, encrypted, and written to the disk, said Sinitsyn.

In order to ensure that files can't be decrypted without the ransom being paid, the malware uses an existing implementation of the Elliptic curve Diffie–Hellman (ECDH) cryptographic protocol. The malware generates a total of five keys to encrypt the data: master-public (public key), master-private (private key), session-public and session-private (the pair of keys generated for each file to be encrypted) and session-shared (shared secret).

 Files can be decrypted either with the master-public and session-private keys, the session-shared key, or the master-private and session-public keys. However, since the master-private, the session-shared and the session-private keys are not saved on the client, it's impossible to decrypt the files. The master-public key is sent to the cybercriminals' server, so in theory it could be intercepted, but the cybercriminals are also using the ECDH protocol to encrypt traffic between the client and the C&C server.

As far as propagation is concerned, CTB-Locker is distributed by the Andromeda botnet, which downloads an email worm of the Joleee family (Email-Worm.Win32.Joleee) onto infected systems. The email worm is usually utilized to send spam emails, but it can also download and launch files, and in this case it downloads and executes the ransomware.

Until July 20, Kaspersky had detected a total of only 75 Trojan-Ransom.Win32.Onion infections, mainly in Russia, Ukraine, Kazakhstan and Belarus. However, experts believe that the actual number of infections is larger since the malware is distributed with various packers.

"Now it seems that Tor has become a proven means of communication and is being utilized by other types of malware. The Onion malware features technical improvements on previously seen cases where Tor functions were used in malicious campaigns," Sinitsyn told SecurityWeek. "Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there."


view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.