There’s a new kid on the crypto ransomware block, known as Critroni, that’s been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it’s the first crypto ransomware seen using the Tor network for command and control.
The ransomware landscape has been dominated for the last year or so by CryptoLocker, one of the nastier pieces of malware to emerge recently. CryptoLocker has the ability to encrypt all of the files on an infected computer and then demands that the victim pay a ransom in order to get the private key to decrypt the data. The ransom demand often requires victims to pay in Bitcoins, and researchers say that the malware has infected hundreds of thousands of machines.
Earlier this summer law enforcement agencies in the United States and Europe took down the GameOver Zeus malware operation, one of the key mechanisms that attackers were using to push the CryptoLocker ransomware. Around the same time in mid-June, security researchers began seeing advertisements for the Critroni ransomware on underground forums. Also known as CTB-Locker, the ransomware at first was being used almost exclusively against victims in Russia, but now has been seen in other countries, as well.
The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims’ machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim’s PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files. Victims have 72 hours to pay, and for those who don’t own any Bitcoins, the ransomware helpfully provides some detailed instructions on how to acquire them in various countries, according to an analysis of the threat by a French security researcher who uses the handle Kafeine.
“The Exploit Kit is just a vector. The delivery … kind of UPS/Fedex/DHL. In some case you can see some trends, if a group has a dedicated threat and is using a dedicated vector, then you say stuff like : glupteba –> Flash EK, Reveton –> Angler EK (and even that one is a little fetched as one or two member are sometimes using their own EK). When it’s in affiliate mode…things are becoming blurry….many more actors and infection paths,” Kafeine said via email.
One of the unique features of Critroni/CTB-Locker is that it uses Tor for its command-and-control infrastructure. This is something that researchers have seen in other kinds of malware in recent months, but not with crypto ransomware.
“It uses C2 hidden in the Tor network. Previously we haven’t seen cryptomalware having C2 in Tor. Only banking trojans,” said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. “Executable code for establishing Tor connection is embedded in the malware’s body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware’s body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general.”
This strain of ransomware also compresses the files it encrypts, using Zlib, Sinitsyn said, and employs ECDH (Elliptic Curve Diffie-Hellman) encryption, another unusual feature. Kaspersky Lab is working on a detailed research report on this malware, which it calls Onion Ransomware, which it plans to release next week.
Critroni is in English and Russian right now, so countries that speak those languages will be at the top of the target list for attackers using the malware. Kafeine said via email that Critroni is now being pushed by a variety of attackers using different vectors. Critroni isn’t the first crypto ransomware to show up as part of an exploit kit operation. Cryptowall has been seen in the Angler exploit kit, and gameOver Zeus, which sometimes drops CryptoLocker, also showed up in Angler earlier this year.
Critroni is nicknamed CTB-Locker, for Curve/Tor/Bitcoin. If a victim’s infected machine can’t connect to the attacker’s server in order to send the Bitcoin payment, the ransomware provides instructions for him to go to another PC and download the Tor browser bundle and then connect to the attacker’s Tor server to complete the transaction.