More details about a new family of encryption ransomware that uses the anonymous network Tor and requires users pay by Bitcoin have emerged.

The ransomware, known in some circles as Critoni or CTB-Locker, has been dubbed Onion by researchers at Kaspersky Lab as its creators use command and control servers hidden in the Tor Network (a/k/a The Onion Router) to obscure their malicious activity.

Similar to CryptoLocker, the ransomware that was first found locking up user’s systems last fall, Onion searches infected machines for a list of file types (.doc, .jpeg, .zip, etc.) compresses them and encrypts them.

It then displays a window that tells users exactly what has been encrypted, and gives them a 72-hour deadline and instructions on how the user can fork over the ransom in Bitcoin.

According to Kaspersky Lab’s Fedor Sinitsyn, a senior malware analyst with the company’s Global Research and Analysis Team, Onion was first detected at the end of June.

While the ransomware’s first target was English-speaking users, due to a newer Russian GUI and specific strings in the Trojan, Sinitsyn believes it’s safe to say its creators speak Russian.

As of this week the ransomware has primarily been attacking users in Russia and Ukraine, yet members of the Commonwealth of Independent States like Kazakhstan and Belarus have also been hit.

Sinitsyn wrote on Securelist Thursday of the ransomware’s unconventional Tor connection claiming that Onion communicates with Tor through the malware’s malicious code, via a different thread, something that makes the malware far more sophisticated than other types that would just inject code into other processes.

Unlike the majority of crypto-malware, which use a combination of AES and RSA to encrypt files, Onion bucks the trend and uses a version of the asymmetric ECDH (Elliptic Curve Diffie-Hellman) algorithm.

The malware compresses files via the Zlib library, then encrypts them with AES, with the hash SHA256. The only way to decrypt files encrypted by Onion are by calculating ECDH with a master-private key derived from the cybercriminals’ server.

The same protocol, ECDH, also protects all traffic coming to and from the attackers’ server with a separate, different set of keys.

Researchers claim that Onion is spread through the bot Andromeda, which first downloads and then runs the malicious program Joleee, which in turn downloads Onion on victim’s machines.

The research comes on the heels of work done last week by the French security researcher Kafeine, who explained how in some cases the ransomware was being dropped by spambots via the Angler exploit kit.

Onion, like its predecessors CryptoLocker and Cryptowall, is the latest in a line of so-called encryptors; nasty Trojans that encrypt everything from users’ family photos and documents to legitimate computer files like certificates, databases and files that store digital signatures.

It was widely assumed that CryptoLocker had been mostly neutralized following the Gameover Zeus takedown earlier this summer. Authorities said at the time the same botnet had been used to distribute the ransomware but some researchers have contested this theory and have recently begun to argue the ransomware is alive and evolving.

Categories: Malware, Vulnerabilities, Web Security