Critroni Crypto Ransomware Seen Using Tor for Command and Control 122
Trailrunner7 writes There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it's the first crypto ransomware seen using the Tor network for command and control.
The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.
"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."
The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.
"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."
Antivirus (Score:4, Informative)
not trying to blame the victim, but I wonder if antivirus or anti-malware software will detect these ransomware programs? Just asking. I guess firewalls might be able to detect the Tor server/connections.
All a firewall will see is encrypted traffic from the computer in the LAN (inside) initiate a connection to a random computer (IP address) on the Internet (outside interface). Its not able to see what is being sent/received, which is the entire reason for TORs existence.. protecting you from Man in the Middle attacks, which in this case, the firewall would be.
Re:Angler PC malware? (Score:1, Informative)
Well unless you have configured your *nix box to automatically privilege and run windows executables somehow, using a real OS is probably sufficient to stop this attack.
Is it conceivable that a very similar attack could be written specifically for your OS of choice and do the same job? Yes, it's conceivable, that's right. But it's not in evidence.
More generally, regardless of OS, this attack wont even trigger if your browser is configured sanely. The exploit kits and injectors all rely heavily on javascript. Make sure it is disabled and you have not only defeated this exploit before it even got started, along with all the others, but you have also taken a positive step towards making the web readable again!