Menu
Stealthy ransomware 'Critroni' uses Tor, could replace Cryptolocker

Stealthy ransomware 'Critroni' uses Tor, could replace Cryptolocker

The Cryptolocker takedown led to a better designed, more resilient ransomware threat

Cybercriminals are spreading a new file-encrypting ransomware program that's more powerful and resilient than Cryptolocker, a threat recently shut down by the U.S. Department of Justice.

The new ransomware threat is called CTB-Locker (Curve-Tor-Bitcoin Locker), but Microsoft anti-malware products detect it as Critroni.A. Its creator has been advertising the program to other cybercriminals on Russian-language forums since the middle of June and it seems that he's been trying to fix most of Cryptolocker's faults.

Critroni uses a file encryption algorithm based on elliptic curve cryptography, which its creator claims is significantly faster than encryption schemes used by other ransomware threats. This also makes decrypting the affected files impossible without paying the ransom, if there are no implementation flaws.

Like Cryptolocker, Critroni generates a public and private key pair for every infected system. The public key is stored on the infected computer and given to the victim, who is then asked to pay a ransom in Bitcoin in order to recover the files.

The private key, which is used to decrypt the files, is stored on a remote command-and-control server that, in the case of Critroni, can only be accessed over the Tor anonymity network. This is a precaution that the creator has taken in order to make it difficult for law enforcement agencies or security researchers to identify and shut down the server.

In early June, the DOJ along with law enforcement agencies from several other countries took control of the Gameover Zeus botnet which was distributing the Cryptolocker ransomware. During the operation the authorities also seized the Cryptolocker command-and-control servers.

"Cryptolocker must communicate with its command and control infrastructure in order to encrypt newly infected computers," the DOJ told a Pennsylvania federal court on July 11 in a status update. "As of today, the injunctive relief ordered [...] knocked all of Cryptolocker's infrastructure offline, and has thereby neutralized Cryptolocker."

To prevent a similar takedown Critroni was designed to complete the file encryption operation locally before connecting to the command-and-control server. This also makes it hard for network security products to detect it early and block it by analyzing traffic.

Blocking Tor traffic only prevents the user from paying, not the program from functioning, the Critroni author said in his advertisement.

The new ransomware program initially targeted Russian-speaking users, but variants seen lately also display the ransom message in English, suggesting that the threat is now distributed more widely, said an independent malware researcher known online as Kafeine in a blog post Friday. "It seems to be a strong, well thought piece of malware."

Despite the DOJ's success against Cryptolocker, not all security researchers believe that the threat is dead. The DOJ's claim that the threat has been neutralized should be scrutinized because the seizure of command-and-control servers only impacted Cryptolocker samples distributed by the Gameover Zeus botnet, said Tyler Moffitt, a security researcher at Webroot in a blog post Thursday. "All samples currently being deployed by different botnets that communicate to different command and control servers are unaffected by this siege."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwareWebrootU.S. Department of Justice

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments