14 DAY TRIAL // A new ransomware called Critroni, is up for sale on the underground forums, its vendors touting it as a new generation of Cryptolocker as it uses the Tor network to anonymize its communication with the command and control server.
The purpose of the malicious kit is to encrypt various types of files, documents and images among them, and ask for a ransom fee to revert the locking process.
The post was discovered by French security researcher that goes by the name of Kafeine, who says that the advertisement has been up since the middle of June and that at the beginning it was used primarily against Russians, but lately it is leveraged against computer users in other countries, too.
The piece of malware, named CTB-Locker (Curve-Tor-Bitcoin Locker) by the cybercrooks, is currently detected as Critroni.A by Microsoft and is available for $3,000 / €2,220.
Critroni is advertised to use persistent cryptography relying on elliptic curves, which would make file decryption impossible; keys are generated randomly and there is no risk of collision.
As the name suggests, the ransom has to be paid in Bitcoin crypto-currency in order to prevent tracing of the transaction, and if the victim does not own any, they are instructed on how to acquire them. Other forms of payment can also be integrated.
The post on the underground forum says that the encryption process can be carried out in lack of Internet connection.
Kafeine reports that Critroni has been seen to be delivered by the Angler exploit kit, but other forms of attack have also been detected in the wild.
If the period of time set for making the ransom payment expires, the file locking program self-deletes, but victims are offered another chance to retrieve the data, instructions being provided in a TXT file located in the Documents folder.
According to security experts from Kaspersky, this is the first cryptomalware to use the TOR network to annonymize its communication with the command and control server. This sort of protection has generally been seen in banking Trojans.
“Executable code for establishing Tor connection is embedded in the malware’s body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware’s body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general,” said Kaspersky Lab senior malware analyst, Fedor Sinitsyn, to Threatpost.
Kafeine asserts that Critroni “seems to be a strong, well thought piece of malware.”