Critroni Crypto Ransomware Seen Using Tor for Command and Control

  • 18 July 2014
  • 5 replies
  • 856 views

Userlevel 7
Badge +54
Well we warned that Ransomware was one of the ways things were going well here is a new kid on the block now.
 
By Dennis Fisher  July 18, 2014
 
"The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims’ machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim’s PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files. Victims have 72 hours to pay, and for those who don’t own any Bitcoins, the ransomware helpfully provides some detailed instructions on how to acquire them in various countries, according to an analysis of the threat by a French security researcher who uses the handle Kafeine."
 
Full Article

5 replies

Userlevel 6
Doesn't Cryptolocker also use Tor to hide it's servers?
Userlevel 7
Badge +54
I remember that one method of paying up to get the decryption key was via a TOR address.
Userlevel 6
Just in this moment I wanted to edit my post. ;)
I was thinking of Cryptodefense and it was indeed using Tor for paying.
Userlevel 7
Badge +54
More information about this is coming to light now about this Trojan, early days for it but it does has a lot of potential to be a real nasty.
 
by Chris Brook July 24, 2014
 
"Unlike the majority of crypto-malware, which use a combination of AES and RSA to encrypt files, Onion bucks the trend and uses a version of the asymmetric ECDH (Elliptic Curve Diffie-Hellman) algorithm.
The malware compresses files via the Zlib library, then encrypts them with AES, with the hash SHA256. The only way to decrypt files encrypted by Onion are by calculating ECDH with a master-private key derived from the cybercriminals’ server.
The same protocol, ECDH, also protects all traffic coming to and from the attackers’ server with a separate, different set of keys.
Researchers claim that Onion is spread through the bot Andromeda, which first downloads and then runs the malicious program Joleee, which in turn downloads Onion on victim’s machines."
 
Full Article
Userlevel 7
Badge +56
Here's a blog post from our own @ on the subject:
http://www.webroot.com/blog/2014/07/25/critroni-new-encrypting-ransomware/

Reply