A new ransomware named Critoni, has appeared and is available for sale on underground forums. Vendors advertise it as a new generation of Cryptolocker that uses the network Tor για να κρυπτογραφήσει την επικοινωνία του με το διακομιστή διοίκησης και ελέγχου, ούτως ώστε να παρέχει ανωνυμία.
His purpose maliciousυ κιτ είναι να κρυπτογραφήσει διάφορους τύπους αρχείων, όπως έγγραφα και εικόνες, και μετά να ζητήσει ransom for their decryption.
The sale announcement was discovered by a French security researcher using the pseudonym Caffeine. The researcher says that advertising has been published since mid-June, and that it was primarily used primarily for purposes in Russia. Continuing on, the researcher says he has recently begun to be used in other countries.
Malware has been named by criminals CTB-Locker (Curve-Tor-Bitcoin Locker), and is detected as Critoni.A by Microsoft. Its purchase price reaches 3.000 dollars.
Critoni is advertised to use persistent cryptography based on elliptic curves, which makes it impossible to decrypt the file. Encryption keys are created randomly.
As the name implies, the ransom has to be paid in Bitcoin digital coins to prevent criminals from locating the transaction. If the victim does not have bitcoins, criminals provide instructions on how to obtain.
The publication in the underground forum also indicates that the encryption process can be done without an Internet connection.
According to her security experts Kaspersky, this is the first cryptomalware that the Tor network uses to communicate with the administration and control server. This kind of protection has been observed in bank Trojans.
Angler EK payload : Spambot it seems.
079bf937d5020ca77ff97a5318414f07
2nd Stage Payload: Critroni.A
e89f09fdded777ceba6412d55ce9d3bc