Andromeda bot spreads Tor-using CTB-Locker ransomware

Share this article:
 Survey respondents praise, but neglect, continuous monitoring
Kaspersky Lab identified CTB-Locker as Trojan-Ransom.Win32.Onion, but Microsoft identified it as Critroni.A.

Last week a security researcher posted that the Angler Exploit Kit was delivering new ransomware advertised as CTB-Locker – now researchers with Kaspersky Lab have identified the Tor-using threat being spread by another malware known as Andromeda bot.

CTB-Locker is identified by Kaspersky Lab as Trojan-Ransom.Win32.Onion, or Onion for short, according to a Thursday post. When reported on last week, the security researcher known as Kafeine said the ransomware was identified by Microsoft as Critroni.A.

Onion is the first Windows ransomware using command-and-control servers that are hidden on the Tor network, Fedor Sinitsyn, senior malware analyst with Kaspersky Lab, told SCMagazine.com in a Friday email correspondence.

“The main benefit: it's difficult to track persons who established the command server in this anonymous network,” Sinitsyn said, explaining previous Windows ransomware hid information pages on Tor. “Also, it's harder to intercept traffic between the client – the malware – and its command server.”

Kaspersky Lab identified Onion being spread by separate malware known as Andromeda bot, Sinitsyn said. He explained the bot is primarily delivered in email spam containing the malicious attachment, or via a link leading to a compromised website serving up an exploit kit, such as Blackhole exploit kit.

Following infection, Andromeda receives a command to download and launch Joleee, which is a worm typically used to distribute spam, but in this case can receive a command to download and launch Onion, Sinitsyn said. Onion then encrypts files using Elliptic Curve Diffie-Hellman cryptography.

Although English was the only supported language in early versions of the ransomware, it was later modified to support Russian, and so far infections have been detected in Russia, Ukraine, Kazakhstan and Belarus, according to the post.

“We haven't registered any detections in the U.S.,” Sinitsyn said. “However, it is possible, because the ‘advertisement' by the creator of this malware offers other cybercriminals to purchase and spread it themselves.”

Once Onion claims a victim, the ransomware provides ample instructions on how to send the Bitcoin ransom. The Bitcoin ransom can be specified by the attacker, as can the extensions of files that are encrypted.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.