New Strain of Crowti Ransomware Moving in I2P Network

A new strain of the Crowti ransomware, also dubbed Cryptowall 3.0, is moving on the I2P anonymity network.

A new strain of the Crowti ransomware, also dubbed Cryptowall 3.0, was spotted by researchers early this week after a quiet period during the holiday season.

The twist to these recent infections is that the malware communicates over the I2P anonymity network.

French researcher Kafeine confirmed this morning the use of I2P for command and control communication, while Microsoft reported that links to pages describing how to decrypt locked files are sent over Tor.

Microsoft said in its report that it noticed a spike in Crowti infections on Jan. 12 when 288 unique machines were infected.

“So…they are sadly back, and we can expect a lot of them in exploit kits, spam, tasks in botnet, etc.,” Kafeine said.

Ransomware has evolved in the last year or so from malware that locks computers in exchange for a ransom payment, to attacks that lock files and demand money or Bitcoin in exchange for a decryption key. Victims are generally first infected by web-based exploits; vulnerable websites are infected with Adobe- or Java-based exploit kits that redirect a victim’s browser to a download of the ransomware.

The malware encrypts files and presents the user with an image file detailing instructions on how to remit payment.

The most recent Crowti attacks include modified file names from previous versions, yet the infections behave generally the same as previous waves, Kafeine said.

The ransom notification files are named: HELP_DECRYPT.HTML, .PNG, .TXT, or .URL. In each of the four files, the victim is presented with an explainer of what happened to their files, which are encrypted with RSA-2048 encryption. The attacker explains how the files have been changed, but can be restored with a private key stored on a “secret server.”

The victim is provided with links on how to obtain the private key and where to remit payment from one of four links and instructions on how to install the Tor browser bundle. Kafeine said the user is afforded the ability of decrypting one file free of charge, and can also pay the ransom using Bitcoin.

Crowti had been relatively quiet since a late October surge when Microsoft reported 4,000 system infections at its peak, 71 percent of those in the United States.

In addition to being spread via exploit kits such as Nuclear, RIG and RedKit, Crowti and other forms of ransomware move in spam emails with .zip attachments. The attachments carry generic titles pretending to be fax messages, invoices, even IRS messages.

The use of I2P as a communication protocol is not new either, with botnets spreading banking malware making use of I2P.

Last July, a serious vulnerability was disclosed in the I2P software bundled with the TAILS operating system, an OS designed to enable online anonymity for its users. Researchers at Exodus Intelligence demonstrated a proof-of-concept exploit that could be used for remote code execution against several versions of TAILS.

Suggested articles