{"id":4520,"date":"2015-01-29T10:00:54","date_gmt":"2015-01-29T15:00:54","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=4520"},"modified":"2020-02-26T18:59:34","modified_gmt":"2020-02-26T14:59:34","slug":"new-version-ctb-locker","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/new-version-ctb-locker\/4520\/","title":{"rendered":"Onion Ransomware News: Improved Version of CTB-Locker Emerges"},"content":{"rendered":"

A new variant of the Onion ransomware has emerged, though you might see it referred to as CTB-Locker or Citroni<\/a>.<\/p>\n

Whatever you decide to call it, CTB-Locker is a Cryptolocker-like piece of malware<\/a> that encrypts all the files on its host machines and demands a ransom payment in order to decrypt those files.<\/p>\n

CTB-Locker, or Curve Tor Bitcoin Locker, differs from other ransomware in that it uses The Tor Project\u2019s anonymity network in order to shield itself from takedown efforts that rely largely on static malware command and control servers. Its use of Tor also helps it evade detection and blocking. Another thing that protects CTB-Locker controllers is accepting only the decentralized and largely anonymous crypto-currency known as Bitcoin<\/a>.<\/p>\n

All this makes CTB-Locker a highly dangerous threat and one of the most technologically advanced encryptors out there.<\/div>\n

\u201cHiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server,\u201d Fedor Sinitsyn, a senior malware analyst at Kaspersky Lab told the Daily last year<\/a>. \u201cAll this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there.\u201d<\/p>\n

The new version of CTB-Locker \u2014 known to Kaspersky Lab products as Trojan-Ransom.Win32.Onion \u2014 contains some interesting upgrades, according to Sinitsyn. As is increasingly the case, it offers its victims a sort of \u2018trial demo\u2019 whereby the infected can choose five files to decrypt without paying the ransom<\/a>. It\u2019s also available in three new languages: German, Dutch, and Italian. CTB also evades research efforts by detecting virtual machines that researchers use to safely analyze malware and not executing in those environments. Instead of connecting directly to Tor, CTB proxies itself through six additional anonymization services in order to further complicate tracking and takedown efforts.<\/p>\n

\n

How to explain #ransomware<\/a> to a 5 year old http:\/\/t.co\/hSnc2fzQgW<\/a> pic.twitter.com\/Ge2kjGQBlh<\/a> @kaspersky<\/a> @SophosLabs<\/a> @AppRiver<\/a> @checkpointsw<\/a><\/p>\n

\u2014 Silicon UK (@SiliconGB) January 20, 2015<\/a><\/p><\/blockquote>\n