Encrypting ransomware – a type of malware which encrypts user data and then demands ransom for decryption – is now being implemented in a new way, according to Kaspersky Lab research. Kaspersky Lab calls the malware the “Onion” ransomware because it uses the anonymous network Tor (the Onion Router) to hide its malicious nature and to make it hard to track the actors behind this ongoing malware campaign.
Technical improvements to the malware have made it a truly dangerous threat as one of the most sophisticated encryptors today.
The Onion malware is the successor to other notorious encryptors: CryptoLocker, CryptoDefence/CryptoWall, ACCDFISA and GpCode. It is a new breed of encryption ransomware that uses a countdown mechanism to scare victims into paying for decryption in Bitcoins. The cybercriminals claim there is a strict 72-hour deadline to pay up, or all the files will be lost forever.
To transfer secret data and payment information, the Onion communicates with command and control servers located somewhere inside the anonymous network. Previously, Kaspersky Lab researchers have seen this kind of communication architecture, but it was only used by a few banking malware families such as 64-bit ZeuS enhanced with Tor.
“Now it seems that Tor has become a proven means of communication and is being utilized by other types of malware. The Onion malware features technical improvements on previously seen cases where Tor functions were used in malicious campaigns. Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there,” said Fedor Sinitsyn, Senior Malware Analyst at Kaspersky Lab.
To find out more about the encryption scheme, please see the related blog post on securelist.com
For the Onion malware to reach a device, it first goes via the Andromeda botnet (Backdoor.Win32.Androm). The bot then gets a command to download and run another piece of malware from the Joleee family on the infected device. The latter malware then downloads the Onion malware to the device. This is just one of the possible ways that Kaspersky Lab has so far observed of distributing the malware.
Most attempted infections have been recorded in the CIS, while individual cases have been detected in Germany, Bulgaria, Israel, the UAE and Libya.
The very latest samples of the malware support a Russian-language interface. This fact and a number of strings inside the body of the Trojan suggest that the malware writers speak Russian.
The full report is available at securelist.com.