Public-key cryptography used for data encryption

Dec 11, 2014 14:37 GMT  ·  By

A new piece of crypto-malware has been discovered in the wild, distributed through an exploit kit in drive-by downloads.

Named OphionLocker, the ransomware relies on elliptic curve cryptography (ECC) to encrypt the data on the affected computer.

ECC is a public-key cryptographical approach, which is based on two keys, one for locking the data, called public, and one for decrypting the files, called private, generated from the public one.

OphionLocker provides the public key, which is available in the sample, but the private one that can unlock the information is generated on the server controlled by the cybercriminal. As such, the encryption process can begin even if the infected system is not connected to the Internet.

Malware is delivered by RIG exploit kit

This type of encryption has been seen in other threats in the same category, such as Critroni/Onion ransomware. Regularly, these threats rely on AES and RSA algorithms to encrypt the files.

OphionLocker was discovered by Trojan7Malware, as it got caught in one of their honeypots during a malvertising campaign. It appears that the crooks relied on RIG exploit kit for distribution.

The researchers say that, after encrypting the data (documents, databases and images) on the compromised computer, the crypto-malware displays the ransom message, which is nowhere nearly as spectacular as the one for the infamous CryptoWall.

In this case, the crooks make the announcement in multiple plain text files that become available on the desktop of the system.

According to the researchers, the price for getting the data back is demanded in digital currency bitcoin and is set at one ($358 / €287).

However, this “offer” stands for only three days. Unlike in the case of other ransomware with encryption capabilities, OphionLocker does not increase the monetary demands when the time expires. Instead, the crooks say that the private key would be deleted from their servers unless the bitcoin payment is made to the specified address.

Tor address offered to make the payment

The message provides an address in the TOR anonymity network that can be accessed via the Tor2web proxy network and can be used for making the deposit in exchange for the private key.

Interestingly, the malware generates a hardware identification number, which has to be provided at the Tor address. Trojan7Malware says that these can be blacklisted by the threat actor in order to prevent encryption, if they decide so.

The best protection against crypto-malware is to maintain a backup system for the important files. It is best to store the safe copy on a device that is not connected to the Internet, or which is isolated from the main computer. This way, if ransomware encrypts the files, the data can be restored from the backup.

The guys over Bleeping Computer have analyzed the malware piece and say that despite the strong encryption, OphionLocker does not delete the file copies securely and they can be recovered with software that accesses volume shadow copies created by Windows.

OphionLocker (5 Images)

Ransom message from OphionLocker
Tor address for entering the hardware IDOperation Global III uses scare tactics in the ransom message
+2more