Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Critroni Crypto Ransomware Seen Using Tor for Command and Control 122

Trailrunner7 writes There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it's the first crypto ransomware seen using the Tor network for command and control.

The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.

"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."
This discussion has been archived. No new comments can be posted.

Critroni Crypto Ransomware Seen Using Tor for Command and Control

Comments Filter:
  • Time will come when firewalls inspect all outgoing packets and use heuristics to guess how dangerous encrypted traffic might be.

    For example:

    • Whitelisted sites Encrypted traffic to an IP address previously whitelisted by the firewall vendor or end user? It's whitelisted, let it pass.
    • Heuristically safe sites Encrypted traffic to an IP address known to be associated with a well-known domain whose DNS is known to be valid and who is known to typically use encryption over this port and whose recent activity h
  • As so often, the solution is called "Backup".
    • by mlts ( 1038732 )

      I wonder how many generations of ransomware we will see before backups come back into "style". It used to be in the '90s that people actively did some type of backups, and even PCs shipped with some form of tape drive. Then disks got cheap, and offsite storage become viable, so backups were not done, or if done, were just kicked to the cloud.

      Any backup is better than none, but I wouldn't be surprised if the next generation of ransomware would either encrypt files slowly (but use a shim driver to decrypt s

    • by Nyder ( 754090 )

      As so often, the solution is called "Backup".

      Also you could not store your documents in the "My Documents" folder, make a folder on your C drive, store your docs, pics & important stuff in that. So if you do get cryptoransomed they will have done the wrong files.

      • As so often, the solution is called "Backup".

        Also you could not store your documents in the "My Documents" folder, make a folder on your C drive, store your docs, pics & important stuff in that. So if you do get cryptoransomed they will have done the wrong files.

        That will only take you so far. With so many programs defaulting to the My Documents folder, it'd be annoying at best to have to point to c:\realdocs "because viruses". The user could point the "My Documents" folder to c:\realdocs, but now we're in the same boat again. Even if a user decided it was worth the hassle to deprecate the use of the system variable, c:\realdocs would still be accessible by the same user. From Windows' security standpoint, there's no difference between the user being attacked by ra

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...