Ransomware goes to Tor: potential successor to Cryptolocker appears | Kaspersky Lab

Ransomware goes to Tor: potential successor to Cryptolocker appears

24 Jul 2014
Virus News

Encrypting ransomware – a type of malware which encrypts user data and then demands ransom for decryption – is now being implemented in a new way, according to Kaspersky Lab research. Kaspersky Lab calls the malware the “Onion” ransomware because it uses the anonymous network Tor (the Onion Router) to hide its malicious nature and to make it hard to track the actors behind this ongoing malware campaign.

Technical improvements to the malware have made it a truly dangerous threat as one of the most sophisticated encryptors today.

The Onion malware is the successor to other notorious encryptors: CryptoLocker, CryptoDefence/CryptoWall, ACCDFISA and GpCode. It is a new breed of encryption ransomware that uses a countdown mechanism to scare victims into paying for decryption in Bitcoins. The cybercriminals claim there is a strict 72-hour deadline to pay up, or all the files will be lost forever.

To transfer secret data and payment information, the Onion communicates with command and control servers located somewhere inside the anonymous network. Previously, Kaspersky Lab researchers have seen this kind of communication architecture, but it was only used by a few banking malware families such as 64-bit ZeuS enhanced with Tor. 

“Now it seems that Tor has become a proven means of communication and is being utilized by other types of malware. The Onion malware features technical improvements on previously seen cases where Tor functions were used in malicious campaigns. Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there,” said Fedor Sinitsyn, Senior Malware Analyst at Kaspersky Lab.

To find out more about the encryption scheme, please see the related blog post on securelist.com

Triple-layer approach to infection

For the Onion malware to reach a device, it first goes via the Andromeda botnet (Backdoor.Win32.Androm). The bot then gets a command to download and run another piece of malware from the Joleee family on the infected device. The latter malware then downloads the Onion malware to the device. This is just one of the possible ways that Kaspersky Lab has so far observed of distributing the malware.

Geographical distribution

Most attempted infections have been recorded in the CIS, while individual cases have been detected in Germany, Bulgaria, Israel, the UAE and Libya.

The very latest samples of the malware support a Russian-language interface. This fact and a number of strings inside the body of the Trojan suggest that the malware writers speak Russian. 

Recommendations for staying safe

  • Back up important files
    The best way to ensure the safety of critical data is a consistent backup schedule. Backup should be performed regularly and, moreover, copies need to be created on a storage device that is accessible only during this process (e.g., a removable storage device that disconnects immediately after backup). Failure to follow these recommendations will result in the backed-up files being attacked and encrypted by the ransomware in the same way as the original file versions.
  • Antivirus software
    A security solution should be turned on at all times and all its components should be active. The solution’s databases should also be up to date.

The full report is available at securelist.com.

© 1997 – 2014 Kaspersky Lab

All Rights Reserved. Industry-leading Antivirus Software