Andromeda bot spreads Tor-using CTB-Locker ransomware
Kaspersky Lab identified CTB-Locker as Trojan-Ransom.Win32.Onion, but Microsoft identified it as Critroni.A.
Last week a security researcher posted that the Angler Exploit Kit was delivering new ransomware advertised as CTB-Locker – now researchers with Kaspersky Lab have identified the Tor-using threat being spread by another malware known as Andromeda bot.
CTB-Locker is identified by Kaspersky Lab as Trojan-Ransom.Win32.Onion, or Onion for short, according to a Thursday post. When reported on last week, the security researcher known as Kafeine said the ransomware was identified by Microsoft as Critroni.A.
Onion is the first Windows ransomware using command-and-control servers that are hidden on the Tor network, Fedor Sinitsyn, senior malware analyst with Kaspersky Lab, told SCMagazine.com in a Friday email correspondence.
“The main benefit: it's difficult to track persons who established the command server in this anonymous network,” Sinitsyn said, explaining previous Windows ransomware hid information pages on Tor. “Also, it's harder to intercept traffic between the client – the malware – and its command server.”
Kaspersky Lab identified Onion being spread by separate malware known as Andromeda bot, Sinitsyn said. He explained the bot is primarily delivered in email spam containing the malicious attachment, or via a link leading to a compromised website serving up an exploit kit, such as Blackhole exploit kit.
Following infection, Andromeda receives a command to download and launch Joleee, which is a worm typically used to distribute spam, but in this case can receive a command to download and launch Onion, Sinitsyn said. Onion then encrypts files using Elliptic Curve Diffie-Hellman cryptography.
Although English was the only supported language in early versions of the ransomware, it was later modified to support Russian, and so far infections have been detected in Russia, Ukraine, Kazakhstan and Belarus, according to the post.
“We haven't registered any detections in the U.S.,” Sinitsyn said. “However, it is possible, because the ‘advertisement' by the creator of this malware offers other cybercriminals to purchase and spread it themselves.”
Once Onion claims a victim, the ransomware provides ample instructions on how to send the Bitcoin ransom. The Bitcoin ransom can be specified by the attacker, as can the extensions of files that are encrypted.