Connect with us

Hi, what are you looking for?



CTB-Locker Ransomware Uses Unusual Cryptographic Scheme: Kaspersky

After analyzing a recently discovered piece of ransomware called CTB-Locker (Critroni), security researchers from Kaspersky Lab have determined that the threat has a number of features that separate it from many other forms of malware.

After analyzing a recently discovered piece of ransomware called CTB-Locker (Critroni), security researchers from Kaspersky Lab have determined that the threat has a number of features that separate it from many other forms of malware.

According to the security firm, which detects this malware family as Trojan-Ransom.Win32.Onion, CTB-Locker developers have used some techniques that have been proved to be successful by other file encryptors, but there is also some functionality that has not been seen before.

After infecting a computer, the malware searches fixed, removable and network drives for certain file types, which it encrypts to make them inaccessible to the victim. Then it displays a window that informs the user that his/her files have been encrypted, and that they can only be recovered if a ransom is paid in Bitcoin. To make sure the victim doesn’t miss the ransom demand, an image file containing instructions on how to recover the files is set as the desktop background.

While this is typical behavior for file encryptors, the cryptographic scheme and command and control (C&C) communications are different from what has been seen so far, Kaspersky said.

CTB-Locker uses the Tor anonymity network to communicate with its C&C server,  which is not uncommon for other types of malware, but it is for ransomware.

“Although some of the ransom Trojans from families detected earlier demanded that the victim visit a certain site on the Tor network, the malware discussed here supports full interaction with Tor without the victim’s input, setting it apart from the others,” Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, explained in a blog post.

Furthermore, unlike other threats that have used Tor for C&C communications, Trojan-Ransom.Win32.Onion doesn’t rely on tor.exe, a legitimate application that can be downloaded from the official Tor website. Instead, cybercriminals have taken advantage of the fact that Tor is an open source project and they’ve implemented the code needed for interaction with the anonymity network as part of the malicious code.

Advertisement. Scroll to continue reading.

Until recently, ACCDFISA has been the only piece of ransomware that compresses files before encrypting them. The threat simply adds targeted files to a password-protected archive created with the WinRAR application. CTB-Locker also compresses files, but it does this in a more sophisticated manner. First, it moves the user’s file to a temporary file, which it reads from the disk block-by-block. Then, each of these blocks is compressed using the compression software library Zlib, encrypted, and written to the disk, said Sinitsyn.

In order to ensure that files can’t be decrypted without the ransom being paid, the malware uses an existing implementation of the Elliptic curve Diffie–Hellman (ECDH) cryptographic protocol. The malware generates a total of five keys to encrypt the data: master-public (public key), master-private (private key), session-public and session-private (the pair of keys generated for each file to be encrypted) and session-shared (shared secret).

 Files can be decrypted either with the master-public and session-private keys, the session-shared key, or the master-private and session-public keys. However, since the master-private, the session-shared and the session-private keys are not saved on the client, it’s impossible to decrypt the files. The master-public key is sent to the cybercriminals’ server, so in theory it could be intercepted, but the cybercriminals are also using the ECDH protocol to encrypt traffic between the client and the C&C server.

As far as propagation is concerned, CTB-Locker is distributed by the Andromeda botnet, which downloads an email worm of the Joleee family (Email-Worm.Win32.Joleee) onto infected systems. The email worm is usually utilized to send spam emails, but it can also download and launch files, and in this case it downloads and executes the ransomware.

Until July 20, Kaspersky had detected a total of only 75 Trojan-Ransom.Win32.Onion infections, mainly in Russia, Ukraine, Kazakhstan and Belarus. However, experts believe that the actual number of infections is larger since the malware is distributed with various packers.

“Now it seems that Tor has become a proven means of communication and is being utilized by other types of malware. The Onion malware features technical improvements on previously seen cases where Tor functions were used in malicious campaigns,” Sinitsyn told SecurityWeek. “Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there.”


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...