Stealthy ransomware 'Critroni' uses Tor, could replace Cryptolocker

Stealthy ransomware 'Critroni' uses Tor, could replace Cryptolocker

تاریخ ایجاد

ID: IRCNE2014072262
Date: 2014-07-22

According to “ComputerWorld”, Cybercriminals are spreading a new file-encrypting ransomware program that's more powerful and resilient than Cryptolocker, a threat recently shut down by the U.S. Department of Justice.
The new ransomware threat is called CTB-Locker (Curve-Tor-Bitcoin Locker), but Microsoft anti-malware products detect it as Critroni. Its creator has been advertising the program to other cybercriminals on Russian-language forums since the middle of June and it seems that he's been trying to fix most of Cryptolocker's faults.
Critroni uses a file encryption algorithm based on elliptic curve cryptography, which its creator claims is significantly faster than encryption schemes used by other ransomware threats. This also makes decrypting the affected files impossible without paying the ransom, if there are no implementation flaws.
Like Cryptolocker, Critroni generates a public and private key pair for every infected system. The public key is stored on the infected computer and given to the victim, who is then asked to pay a ransom in Bitcoin in order to recover the files.
The private key, which is used to decrypt the files, is stored on a remote command-and-control server that, in the case of Critroni, can only be accessed over the Tor anonymity network. This is a precaution that the creator has taken in order to make it difficult for law enforcement agencies or security researchers to identify and shut down the server.
In early June, the DOJ along with law enforcement agencies from several other countries took control of the Gameover Zeus botnet which was distributing the Cryptolocker ransomware. During the operation the authorities also seized the Cryptolocker command-and-control servers.
To prevent a similar takedown Critroni was designed to complete the file encryption operation locally before connecting to the command-and-control server. This also makes it hard for network security products to detect it early and block it by analyzing traffic.
Blocking Tor traffic only prevents the user from paying, not the program from functioning, the Critroni author said in his advertisement.
The new ransomware program initially targeted Russian-speaking users, but variants seen lately also display the ransom message in English, suggesting that the threat is now distributed more widely, said an independent malware researcher known online as Kafeine in a blog post Friday. "It seems to be a strong, well thought piece of malware."

برچسب‌ها