When did you last backup your data? Let that serve as a reminder to do so since a new ransomware, touted as a more powerful version of Cryptolocker, has been spotted in the wild. It uses the Tor network to anonymize its communication with the command and control server; that’s a relatively new twist for ransomware as it is more commonly seen with “banking Trojans.”
The new-and-improved ransomware has been selling as a “turnkey” system for $3,000 on Deep Web underground forums since mid-June; it’s currently available in English and Russian, making countries that use those languages the prime targets for attackers. Cybercrooks call the crypto-malware CTB-Locker (Curve-Tor-Bitcoin Locker); Microsoft identifies it as Critoni.A.
Critoni scans all hard and removable drives and then encrypts documents, photos and various other important files, as the crooks can specify various extensions, before displaying a “pay-up” warning dialogue.
Screenshot of CTB-Locker, aka Critoni, ransomware in English by French security researcher "Kafeine"
Critoni is advertised as using “persistent cryptography based on elliptic curves,” making it “impossible” for victims to decrypt files without paying the ransom. The demanded payment is not set in stone and is instead a “recommended” price of .5 Bitcoin, about $320 for victims in the U.S., Canada and Europe, or .25 Bitcoin -- $160 ransom for “other regions.” Each victim has three days, exactly 72 hours, to pay up.
Critoni “seems to be a strong, well thought piece of malware,” according to French security researcher "Kafeine," who has a good write-up and several screenshots. Kafeine reported that Critoni can be delivered by the Angler exploit kit, but attackers using different vectors have also been spotted in the wild. Basically that means this is not a one-size-fits-all attack; there is not just one way to end up getting infected.
“Early detection is not possible,” according to the advertised list of “pros.” It’s touted as “impossible to block the work of the locker.” Critoni connects “to the server only after encryption of all files,” and “blocking Tor prevents only payment [to] the user, not the program."
If the victim doesn’t have Bitcoins, Critoni offers instructions and an “exchange your currency to BTC” option.
Critoni demanding ransom payment, offering way to 'exchange' currency to BTC
If victims don’t cough up the demanded ransom, the file locking program self-deletes. Victims are then offered one "last chance" to pay the ransom and decrypt their files by following instructions provided in a text file located in their Documents folder.
Critoni also has an option for offline decryption.
Critoni offline decryption; credit: Kafeine
You can expect more details to emerge soon as Kaspersky Lab plans to publish a report about the “Onion Ransomware.”
After the feds “neutralized” Cryptolocker, experts named several emerging ransomware threats. Cryptowall, aka Cryptodefense, “abuses Tor” and also uses Bitcoin for the $500 payment option to decrypt files; but “unlike its predecessor, Cryptolocker, which threatened to delete the decryption key after 72 hours, Cryptowall's countdown timer is merely a trigger to a doubling of the ransom.” There’s even ransomware aimed at Android devices. Crooks dealing directly with victims seem to be a trend that is not going away.
Security experts say you should never pay the ransom. After all, these are cyber thugs…do you really believe payment guarantees decryption based on criminal’s promise? Be wise and back up your data now.