Ransomware goes to Tor: Potential successor to Cryptolocker appears


kaspersky_registered_partner.pngEncrypting ransomware – a type of malware which encrypts user data and then demands ransom for decryption – is now being implemented in a new way, according to research by Kaspersky Lab.

Kaspersky Lab calls the malware the “Onion” ransomware because it uses the anonymous network Tor (the Onion Router) to hide its malicious nature and to make it hard to track the actors behind this ongoing malware campaign.

Technical improvements to the malware have made it a truly dangerous threat as one of the most sophisticated encryptors today.

“Now it seems that Tor has become a proven means of communication and is being utilised by other types of malware. The Onion malware features technical improvements on previously seen cases where Tor functions were used in malicious campaigns,” Fedor Sinitsyn, Senior Malware Analyst at Kaspersky Lab, said.

The Onion malware is the successor to other notorious encryptors: CryptoLocker, CryptoDefence/CryptoWall, ACCDFISA and GpCode. It is a new breed of encryption ransomware that uses a countdown mechanism to scare victims into paying for decryption in Bitcoins. The cybercriminals claim there is a strict 72-hour deadline to pay up, or all the files will be lost forever.

To transfer secret data and payment information, the Onion communicates with command and control servers located somewhere inside the anonymous network. Previously, Kaspersky Lab researchers have seen this kind of communication architecture, but it was only used by a few banking malware families such as 64-bit ZeuS enhanced with Tor.

“Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there,” Sinitsyn added.

Triple-layer approach to infection

For the Onion malware to reach a device, it first goes via the Andromeda botnet (Backdoor.Win32.Androm). The bot then gets a command to download and run another piece of malware from the Joleee family on the infected device. The latter malware then downloads the Onion malware to the device. This is just one of the possible ways of distributing the malware that Kaspersky Lab has so far observed.

Geographical distribution

Most attempted infections have been recorded in the Commonwealth of Independent States, while individual cases have been detected in Germany, Bulgaria, Israel, the UAE and Libya.

The very latest samples of the malware support a Russian-language interface. This fact, along with a number of strings inside the body of the Trojan, suggests that the malware writers speak Russian.

Recommendations for staying safe

  • Back up important files

The best way to ensure the safety of critical data is a consistent backup schedule. Backup should be performed regularly and, moreover, copies need to be created on a storage device that is accessible only during this process (e.g., a removable storage device that disconnects immediately after backup). Failure to follow these recommendations will result in the backed-up files being attacked and encrypted by the ransomware in the same way as the original file versions.

  • Antivirus software

A security solution should be turned on at all times and all its components should be active. The solution’s databases should also be up to date.

To find out more about the encryption scheme, the report is available at securelist.com


Comments are closed.