The latest ransomware, given the name “Critroni”, includes a number of odd features that makes it out of the ordinary and according to the researchers, it’s the first ever Crypto ransomware seen that uses the Tor anonymizing network for command and control to conceal its communication.
According to a detailed analysis of the ransomware threat by a French security researcher who uses the handle Kafeine, the Critroni ransomware is being sold for around $3,000 in black forums and is recently being used by a large number of attackers, including those who use the Angler exploit kit to drop a Spambot on victims’ computers.
“Placing a server in onion-domain (TOR), close to domain abuse can not be practically impossible to trace the owner and shutdown the server,” reads the blog post. “Connection to the server only after encryption of all files. Early Detection is not possible on the traffic, it is impossible to block the work of the locker. Blocking TOR prevents only payment the user, not the program. Analogs are connected to the server until the crypt and can block.”
The Spambot, an automated computer program designed to harvest and assist in the sending of spam emails, then downloads a number of other malicious executable, including Critroni ransomware.
Once downloaded on a victim’s machine, as several other ransomware, Critroni encrypts a specific variety of files, including photos, videos and other important documents, and then displays a dialogue box that notifies the user of the malware infection and demands a payment in Bitcoins in order to decrypt the encrypted files.
"Persistent cryptography based on elliptic curves. Decrypt files without payment impossible. Equivalent resistance RSA-3072, exceeding all analogs. At the same encryption speed is much higher."
Within 72 hours, victims have to pay the ransom amount demanded by the attacker, or otherwise the victims would lose their important files. Those who do not own Bitcoins, the ransomware provides some detailed instructions on how to acquire them, which will help users of various other countries to pay the ransom amount.
Currently, the Critroni malware threat is written in English and Russian, so right now the countries that speak these languages would be at the top of the target list for attackers using the malware.