{"id":3697,"date":"2014-07-24T10:45:01","date_gmt":"2014-07-24T14:45:01","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=3697"},"modified":"2020-02-26T18:58:53","modified_gmt":"2020-02-26T14:58:53","slug":"ransomware-goes-to-toraims-to-eclipse-infamous-cryptolocker","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ransomware-goes-to-toraims-to-eclipse-infamous-cryptolocker\/3697\/","title":{"rendered":"Ransomware goes to TOR,aims to eclipse infamous Cryptolocker"},"content":{"rendered":"

You are probably already aware of recent cybercriminal development, namely encrypting ransomware. This kind of malware doesn\u2019t try to hide from users; instead, a locker encrypts user\u2019s documents using strong cryptography and demands ransom for decryption. Infamous examples of his malware family are Cryptolocker<\/a> and CryptoWall, among others. Unfortunately, this criminal scheme proved profitable, so new, stronger and more efficient types of encrypting Trojans emerged. We are here to warn you of the \u201cOnion\u201d ransomware (aka CTB-Locker), which uses anonymous TOR (The Onion Router)<\/a> network and Bitcoins<\/a> to better protect criminals, their funds and keys to victims\u2019 files from law enforcement.<\/p>\n

\"ransomeware\"<\/a><\/p>\n

By using TOR, criminals make it harder to trace their activity and seize malware control servers. Using Bitcoins, an anonymous cryptocurrency, as the exclusive payment option, makes following the money complex too. What does it mean for ordinary users? Criminals will likely be able to use this malware for a long time. In addition, the malware is being sold on underground forums and attracted international attention. That\u2019s why we expect further infections in other regions, especially in the U.S., UK and others, that have proven to be good \u201cmarkets\u201d for ransomware.<\/p>\n

The Onion Locker is technically a sophisticated malware that acts silently until all user\u2019s documents are encrypted. Only then it uploads key-related data to its control server via TOR and displays a warning with a 72-hour countdown. The victim is offered to pay 0.2-0.5 Bitcoins (120-350 USD) to receive a decryption key. If s\/he fails to pay in 72 hours, the key (and all encrypted files) can be considered lost. \u00a0To be \u201chelpful\u201d, criminals give some tips on Bitcoin buying and provide an instruction for the case when a user must buy the key from another computer.<\/p>\n

\u201cHiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there,\u201d said Fedor Sinitsyn<\/strong>, Senior Malware Analyst at Kaspersky Lab.<\/p>\n

The malware is currently being distributed using classical criminal means: web pages with exploit<\/a> kits initiate Trojan downloads to a victim\u2019s computer, then this Trojan downloads The Onion encryptor. More detailed analysis is available on Securelist.com<\/a><\/p>\n

Avoiding The Onion locker and other types of encrypting ransomware<\/h2>\n

To prevent your computer from being infected, regularly update critical software components on your computers: an operating system, a browser and all add-ons (media players, Java, PDF readers and so on). In addition, a strong Internet Security solution is advised. By the way, a recent version of Kaspersky Internet Security<\/a> has dedicated technologies to counter encrypting ransomware<\/a>.<\/p>\n

To be able to restore your data after any disaster, be it a ransomware attack, theft or flood, the regular backup to a safely stored removable media is crucial.<\/p>\n","protected":false},"excerpt":{"rendered":"

You are probably already aware of recent cybercriminal development, namely encrypting ransomware. This kind of malware doesn\u2019t try to hide from users; instead, a locker encrypts user\u2019s documents using strong<\/p>\n","protected":false},"author":32,"featured_media":3698,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1486],"tags":[374,728,36,729,433,531],"class_list":{"0":"post-3697","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-bitcoin","10":"tag-cruptolocker","11":"tag-malware-2","12":"tag-onion","13":"tag-ransomware","14":"tag-tor"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/ransomware-goes-to-toraims-to-eclipse-infamous-cryptolocker\/3697\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/ransomware-goes-to-toraims-to-eclipse-infamous-cryptolocker\/3799\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/ransomware-goes-to-toraims-to-eclipse-infamous-cryptolocker\/4188\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/ransomware-goes-to-toraims-to-eclipse-infamous-cryptolocker\/4438\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/ransomware-goes-to-toraims-to-eclipse-infamous-cryptolocker\/4753\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ransomware-goes-to-toraims-to-eclipse-infamous-cryptolocker\/5528\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/ransomware-goes-to-toraims-to-eclipse-infamous-cryptolocker\/4753\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ransomware-goes-to-toraims-to-eclipse-infamous-cryptolocker\/5528\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ransomware-goes-to-toraims-to-eclipse-infamous-cryptolocker\/5528\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/bitcoin\/","name":"bitcoin"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3697","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=3697"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3697\/revisions"}],"predecessor-version":[{"id":15871,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3697\/revisions\/15871"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/3698"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=3697"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=3697"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=3697"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}