Critroni has been flogged on underground forums for the last month or so and is now being used by the Angler exploit kit.
Security experts say that it is the first crypto ransomware seen using the Tor network for command and control.
It is bad news. The ransomware landscape has been ruled by CryptoLocker and that bit of code has proved really hard to defeat. CryptoLocker encrypts all of the files on an infected computer and then demands that the victim pay a ransom in order to get the private key to decrypt the data.
Coppers in the United States and Europe took down the GameOver Zeus malware operation, one of the key mechanisms that attackers were using to push CryptoLocker. Since then security researchers spotted advertisements for the Critroni ransomware. Critroni also is known as CTB-Locker, and was first used in Russia.
You can pick up Critroni ransomware for $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims’ machines.
Once on a victim’s PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.
Victims have 72 hours to pay up. The ransom payment is usually about $300, for victims in the US, Canada and Europe.
One of the unique features of Critroni/CTB-Locker is that it uses the C2 function hidden in the Tor network Tor for its command-and-control infrastructure.
Fedor Sinitsyn, senior malware analyst at Kaspersky Lab said that the executable code for establishing Tor connection is embedded in the malware’s body.
Embedding Tor functions in the malware’s body is difficult from the programming point of view, but it helps to avoid detection.
Critroni is in English and Russian right now, so it is expected that countries which use those languages will be a target.