Computerworld

Stealthy ransomware 'Critroni' uses Tor, could replace Cryptolocker

The Cryptolocker takedown led to a better designed, more resilient ransomware threat

Cybercriminals are spreading a new file-encrypting ransomware program that's more powerful and resilient than Cryptolocker, a threat recently shut down by the U.S. Department of Justice.

The new ransomware threat is called CTB-Locker (Curve-Tor-Bitcoin Locker), but Microsoft anti-malware products detect it as Critroni.A. Its creator has been advertising the program to other cybercriminals on Russian-language forums since the middle of June and it seems that he's been trying to fix most of Cryptolocker's faults.

Critroni uses a file encryption algorithm based on elliptic curve cryptography, which its creator claims is significantly faster than encryption schemes used by other ransomware threats. This also makes decrypting the affected files impossible without paying the ransom, if there are no implementation flaws.

Like Cryptolocker, Critroni generates a public and private key pair for every infected system. The public key is stored on the infected computer and given to the victim, who is then asked to pay a ransom in Bitcoin in order to recover the files.

The private key, which is used to decrypt the files, is stored on a remote command-and-control server that, in the case of Critroni, can only be accessed over the Tor anonymity network. This is a precaution that the creator has taken in order to make it difficult for law enforcement agencies or security researchers to identify and shut down the server.

In early June, the DOJ along with law enforcement agencies from several other countries took control of the Gameover Zeus botnet which was distributing the Cryptolocker ransomware. During the operation the authorities also seized the Cryptolocker command-and-control servers.

"Cryptolocker must communicate with its command and control infrastructure in order to encrypt newly infected computers," the DOJ told a Pennsylvania federal court on July 11 in a status update. "As of today, the injunctive relief ordered [...] knocked all of Cryptolocker's infrastructure offline, and has thereby neutralized Cryptolocker."

To prevent a similar takedown Critroni was designed to complete the file encryption operation locally before connecting to the command-and-control server. This also makes it hard for network security products to detect it early and block it by analyzing traffic.

Blocking Tor traffic only prevents the user from paying, not the program from functioning, the Critroni author said in his advertisement.

The new ransomware program initially targeted Russian-speaking users, but variants seen lately also display the ransom message in English, suggesting that the threat is now distributed more widely, said an independent malware researcher known online as Kafeine in a blog post Friday. "It seems to be a strong, well thought piece of malware."

Despite the DOJ's success against Cryptolocker, not all security researchers believe that the threat is dead. The DOJ's claim that the threat has been neutralized should be scrutinized because the seizure of command-and-control servers only impacted Cryptolocker samples distributed by the Gameover Zeus botnet, said Tyler Moffitt, a security researcher at Webroot in a blog post Thursday. "All samples currently being deployed by different botnets that communicate to different command and control servers are unaffected by this siege."