New type of ransomware bucks established trends

Ransomware is now one of the fastest growing classes of malicious software, says Kaspersky Lab researcher Fedor Sinitsyn. This should not comes as a surprise, when we know that 35 percent of those who get infected by it end up paying the ransom.

The Russian AV company has recently spotted a new ransomware family they detect as “Onion.” The malware itself is called CTB-Locker, and analysis of its code revealed that, apart from its ultimate goal, it is unlike any other known ransomware family.

“Its developers used both proven techniques ‘tested’ on its predecessors (such as demanding that ransom be paid in Bitcoin) and solutions that are completely new for this class of malware,” says Sinitsyn.

CTB-Locker encrypts a wide range of files, and asks the victims to pony up 0.15999 Bitcoin (around $96). If the victims don’t own Bitcoin, they are instructed to change the money they have into this crypto currency (click on the screenshot to enlarge it):

CTB-Locker’s command server is located within the Tor anonymity network. Although this is not unusual for malware, it’s a first for ransomware.

“All the previously detected malware, if it communicated to the Tor network at all, did this in an unsophisticated manner: it launched (sometimes by injecting code into other processes) the legitimate file tor.exe, which is available for download on the network’s official website,” Sinitsyn explains.

“Trojan-Ransom.Win32.Onion does not use the existing file tor.exe. Instead, all the code needed to implement interaction with the anonymity network is statically linked to the malicious program’s executable file (i.e., is implemented as part of the malicious code) and is launched in a separate thread.”

Another distinction of this ransomware is that it compresses files before it encrypts them. It also uses an atypical cryptographic scheme: instead of the AES+RSA combination, it uses an implementation of the Elliptic curve Diffie-Hellman (ECDH) encryption algorithm (as described in detail in this blog post).

Finding a way to decrypt the files without paying the ransom is practically impossible, even if one manages to intercept the key sent to the server. “This is because the malware writers have used the same asymmetric protocol, ECDH, to protect their traffic, albeit with a separate, dedicated set of keys,” Sinitsyn explains.

Finally, CTB-Locker is disseminated via the Andromeda bot. The bot downloads an email worm called Joleee, which then downloads the encryptor.

All in all, this is one destructive piece of malware, and the only way to prevent permanent damage to your files is by using a security solution that detects it, and by regularly backing your files up so that you can restore them if you do get infected.