- Apr 25, 2013
- 5,355
There’s a new kid on the crypto ransomware block, known as Critroni, that’s been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it’s the first crypto ransomware seen using the Tor network for command and control.
The ransomware landscape has been dominated for the last year or so byCryptoLocker, one of the nastier pieces of malware to emerge recently. CryptoLocker has the ability to encrypt all of the files on an infected computer and then demands that the victim pay a ransom in order to get the private key to decrypt the data. The ransom demand often requires victims to pay in Bitcoins, and researchers say that the malware has infected hundreds of thousands of machines.
Earlier this summer law enforcement agencies in the United States and Europe took down the GameOver Zeus malware operation, one of the key mechanisms that attackers were using to push the CryptoLocker ransomware. Around the same time in mid-June, security researchers began seeing advertisements for the Critroni ransomware on underground forums. Also known as CTB-Locker, the ransomware at first was being used almost exclusively against victims in Russia, but now has been seen in other countries, as well.
The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims’ machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim’s PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files. Victims have 72 hours to pay, and for those who don’t own any Bitcoins, the ransomware helpfully provides some detailed instructions on how to acquire them in various countries, according to an analysis of the threat by a French security researcher who uses the handle Kafeine.
The recommended ransom payment is 0.5 BTC, about $300, for victims in the U.S., Canada and Europe, and 0.25 BTC for other countries.
“The Exploit Kit is just a vector. The delivery … kind of UPS/Fedex/DHL. In some case you can see some trends, if a group has a dedicated threat and is using a dedicated vector, then you say stuff like : glupteba –> Flash EK, Reveton –> Angler EK (and even that one is a little fetched as one or two member are sometimes using their own EK). When it’s in affiliate mode…things are becoming blurry….many more actors and infection paths,” Kafeine said via email.
Full Article
