Virtual Event Today: Cyber AI & Automation Summit - Register/Login Now
Connect with us

Hi, what are you looking for?



CTB-Locker Ransomware Uses Unusual Cryptographic Scheme: Kaspersky

After analyzing a recently discovered piece of ransomware called CTB-Locker (Critroni), security researchers from Kaspersky Lab have determined that the threat has a number of features that separate it from many other forms of malware.

After analyzing a recently discovered piece of ransomware called CTB-Locker (Critroni), security researchers from Kaspersky Lab have determined that the threat has a number of features that separate it from many other forms of malware.

According to the security firm, which detects this malware family as Trojan-Ransom.Win32.Onion, CTB-Locker developers have used some techniques that have been proved to be successful by other file encryptors, but there is also some functionality that has not been seen before.

After infecting a computer, the malware searches fixed, removable and network drives for certain file types, which it encrypts to make them inaccessible to the victim. Then it displays a window that informs the user that his/her files have been encrypted, and that they can only be recovered if a ransom is paid in Bitcoin. To make sure the victim doesn’t miss the ransom demand, an image file containing instructions on how to recover the files is set as the desktop background.

While this is typical behavior for file encryptors, the cryptographic scheme and command and control (C&C) communications are different from what has been seen so far, Kaspersky said.

CTB-Locker uses the Tor anonymity network to communicate with its C&C server,  which is not uncommon for other types of malware, but it is for ransomware.

“Although some of the ransom Trojans from families detected earlier demanded that the victim visit a certain site on the Tor network, the malware discussed here supports full interaction with Tor without the victim’s input, setting it apart from the others,” Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, explained in a blog post.

Furthermore, unlike other threats that have used Tor for C&C communications, Trojan-Ransom.Win32.Onion doesn’t rely on tor.exe, a legitimate application that can be downloaded from the official Tor website. Instead, cybercriminals have taken advantage of the fact that Tor is an open source project and they’ve implemented the code needed for interaction with the anonymity network as part of the malicious code.

Until recently, ACCDFISA has been the only piece of ransomware that compresses files before encrypting them. The threat simply adds targeted files to a password-protected archive created with the WinRAR application. CTB-Locker also compresses files, but it does this in a more sophisticated manner. First, it moves the user’s file to a temporary file, which it reads from the disk block-by-block. Then, each of these blocks is compressed using the compression software library Zlib, encrypted, and written to the disk, said Sinitsyn.

Advertisement. Scroll to continue reading.

In order to ensure that files can’t be decrypted without the ransom being paid, the malware uses an existing implementation of the Elliptic curve Diffie–Hellman (ECDH) cryptographic protocol. The malware generates a total of five keys to encrypt the data: master-public (public key), master-private (private key), session-public and session-private (the pair of keys generated for each file to be encrypted) and session-shared (shared secret).

 Files can be decrypted either with the master-public and session-private keys, the session-shared key, or the master-private and session-public keys. However, since the master-private, the session-shared and the session-private keys are not saved on the client, it’s impossible to decrypt the files. The master-public key is sent to the cybercriminals’ server, so in theory it could be intercepted, but the cybercriminals are also using the ECDH protocol to encrypt traffic between the client and the C&C server.

As far as propagation is concerned, CTB-Locker is distributed by the Andromeda botnet, which downloads an email worm of the Joleee family (Email-Worm.Win32.Joleee) onto infected systems. The email worm is usually utilized to send spam emails, but it can also download and launch files, and in this case it downloads and executes the ransomware.

Until July 20, Kaspersky had detected a total of only 75 Trojan-Ransom.Win32.Onion infections, mainly in Russia, Ukraine, Kazakhstan and Belarus. However, experts believe that the actual number of infections is larger since the malware is distributed with various packers.

“Now it seems that Tor has become a proven means of communication and is being utilized by other types of malware. The Onion malware features technical improvements on previously seen cases where Tor functions were used in malicious campaigns,” Sinitsyn told SecurityWeek. “Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there.”


Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...