[tor-talk] A new generation of ransomware: Elliptic curve cryptography + Tor + Bitcoin

georg at riseup.net georg at riseup.net
Tue Jul 29 20:51:27 UTC 2014

Ransomware is now one of the fastest growing classes of malicious
software. In the last few years it has evolved from simple screen blockers
demanding payments to something far more dangerous.

The Ransomware class is now based on so-called encryptors – Trojans that
encrypt every kind of data that may be of value to the user without his or
her knowledge. The data can include personal photos, archives, documents,
databases (e.g., databases used in 1C:Enterprise software intended for
automation of business activities), diagrams, etc. In order to decrypt
these files the criminals demand a payment – often a significant sum.
CryptoLocker, CryptoDefence (and its successor CryptoWall), ACCDFISA, and
GpCode are some of the most notorious examples. There are also lots of
lesser-known families that have spread in Russia and the CIS.

At the end of June 2014 Kaspersky Lab detected a new encryptor. Analysis
showed that the Trojan had nothing in common with other known families and
a number of features that suggested it was a completely new creation. Its
name? CTB-Locker.

This new family is detected by Kaspersky Lab as Trojan-Ransom.Win32.Onion.

This encryption malware belongs to a new generation of ransomware. Its
developers used both proven techniques 'tested' on its predecessors (such
as demanding that ransom be paid in Bitcoin) and solutions that are
completely new for this class of malware. Specifically, hiding the command
and control servers in Tor anonymity network complicates the search for
the cybercriminals, and the use of an unorthodox cryptographic scheme
makes file decryption impossible, even if traffic is intercepted between
the Trojan and the server. All this makes Trojan-Ransom.Win32.Onion a
highly dangerous threat and one of the most technologically advanced
encryptors out there. [...]


More information about the tor-talk mailing list