Critroni Crypto Ransomware Seen Using Tor for Command and Control

Trailrunner7 writes There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it's the first crypto ransomware seen using the Tor network for command and control.

The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.

"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."

Antivirus

[saloomy]

not trying to blame the victim, but I wonder if antivirus or anti-malware software will detect these ransomware programs? Just asking. I guess firewalls might be able to detect the Tor server/connections.

All a firewall will see is encrypted traffic from the computer in the LAN (inside) initiate a connection to a random computer (IP address) on the Internet (outside interface). Its not able to see what is being sent/received, which is the entire reason for TORs existence.. protecting you from Man in the Middle attacks, which in this case, the firewall would be.

Re:Time to get rid of Tor

[CRCulver]

It has also been an enabler for millions of people in Iran, Syria and Turkmenistan to frequent social networks like Facebook and Twitter. The considerable soft power that the West gains over the youth in these often hostile or hermetic states is worth the occasional use of the network for financial crimes.

Re:Angler PC malware?

[ttucker]

How is it you manages to not once mention Microsoft Windows in that whole article? How does the Critroni ransomware get onto the victim’s PC in the first place?

Most of this shit is installed by tricking the user with phishing style emails and general social engineering to download attachments. Certainly zero day stuff is a goldmine for malware, but under-informed end users are much more consistently available. The stuff that cryto ransom software holds hostage is heavily concentrated in the user's home directory, so no privilege escalation is required. It is good to be proud of your operating system of choice, but it is smug to think that Linux/OSX/BSD/Solaris will do anything technical to protect from such an attack.

Re:Time to get rid of Tor

[vux984]

It has also been an enabler for millions of people in Iran, Syria and Turkmenistan to frequent social networks like Facebook and Twitter.

And get uncensored news from buzzfeed

Don't get me wrong, Tor is a great enabler for countering censorship, etc... but advocating that these people need access to facebook and twitter? Honestly. Nobody needs that.

Re:Time to get rid of Tor

[DarkOx]

And while we are on the subject:

Its true that some protests and the beginnings of the Arab spring stuff apparently began on Twatter and Facespace; I wonder how much of that was going to happen anyway, especially given that in at least 3 of the four major uprisings the secular movements that seemed so popular online certainly have not proven to be what the people ultimately choose to support:

Egypt - went theocracy and is now back to essentially an autocracy that more or less resembles the one they started out with.

Libya - If you're not an Obama apologist is a failed sate, run by gangs or would be tyrants.

Syria - Ramains to be seen if the rebels will even succeed by if they do will probably be Islamist

Tunisia - Well that one might have kinda worked.

  One is left to wonder if much like Slashdot here in the states, were lots of radical (not to be necessarily read with a negative connotation), ideas get expressed on line, but it seems to amount to a lot of political masturbation because it does not get translated into actions that generate any sort of results at the ballot box. In some respects taking a longer view of the pamphleteers of the late 17th and 18th centuries, and the marchers and organizers of the mid 20th century seem to have had much more influence that the 21st century Internet critics. Oh sure the can manage to get a SOPA or PIPPA shot down once in awhile, but can't get it turned into the sort of third rail the politicians will shy away from touching again for even a year.

So is it possible the Internet is actually harmful to these movements, is it keeping people sitting at home posting on Facespace behind their proxies instead of actually out in the street doing something disruptive? Sure the organizing power of these things is clear but real widely supported political movements always have managed to organize before.