A new ransomware with the name Critoni, has appeared and is available for sale on underground forums. Vendors advertise it as a new generation of Cryptolocker that uses the network Tor to encrypt its communication with the command and control server to provide anonymity.
The purpose of the malicious kits is to encrypt different types of files, such as documents and images, and then ask for a ransom to decrypt them.
The sale announcement was discovered by a French security researcher using the pseudonym Caffeine. The researcher says that advertising has been published since mid-June, and that it was primarily used primarily for purposes in Russia. Continuing on, the researcher says he has recently begun to be used in other countries.
The malware, has been named by the criminals CTB-Locker (Curve-Tor-Bitcoin Locker), and is detected as Critoni.A by Microsoft. Η τιμή αγοράς του φτάνει τα 3.000 δολάρια.
Critoni is advertised as using persistent elliptic curve-based cryptography, which makes it impossible to decrypt the file. The wrenches encryption keys are randomly generated.
As the name suggests, the ransom must be paid in Bitcoin digital currency in order for the criminals to avoid detection of the pluschanges. If the victim does not have bitcoins, the criminals provide instructions on how to obtain them.
The publication in the underground forum also indicates that the encryption process can be done without an Internet connection.
According to her security experts Kaspersky, this is the first cryptomalware that the Tor network uses to communicate with the administration and control server. This kind of protection has been observed in bank Trojans.
Angler EK payload: Spambot it seems.
079bf937d5020ca77ff97a5318414f07
2nd Stage Payload: Critroni.A
e89f09fdded777ceba6412d55ce9d3bc