A new ransomware named Critoni, has appeared and is available for sale in underground forums. Vendors advertise this as a new generation of Cryptolocker that uses the Tor network to encrypt its communication with the administration and control server to provide anonymity.
The purpose of the malicious kits is to encrypt different types of files, such as documents and images, and then ask for a ransom to decrypt them.
The sale announcement was discovered by a French security researcher using the pseudonym Caffeine. The researcher says that advertising has been published since mid-June, and that it was primarily used primarily for purposes in Russia. Continuing on, the researcher says he has recently begun to be used in other countries.
Το malware, έχει ονομαστεί από τους εγκληματίες CTB-Locker (Curve-Tor-Bitcoin Locker), και ανιχνεύεται σαν Critoni.A από τη Microsoft. The price his purchase reaches 3.000 dollars.
Critoni is advertised as using persistent elliptic curve-based cryptography, which makes it impossible to decrypt the file. The wrenches encryption keys are randomly generated.
As the name implies, the ransom has to be paid in Bitcoin digital coins to prevent criminals from locating the transaction. If the victim does not have bitcoins, criminals provide instructions on how to obtain.
The publication in the underground forum also indicates that the encryption process can be done without an Internet connection.
According to her security experts Kaspersky, this is the first cryptomalware that the Tor network uses to communicate with the administration and control server. This kind of protection has been observed in bank Trojans.
Angler EK payload: Spambot it seems.
079bf937d5020ca77ff97a5318414f07
2nd Stage Payload: Critroni.A
e89f09fdded777ceba6412d55ce9d3bc
