Heads-Up: Second Generation Ransomware In The Wild

CTB Locker Last week, Fedor Sinitisyn, blogger and security researcher for Kaspersky posted something worrisome. He reported that the Angler Exploit Kit was delivering a new second-generation type of ransomware called CTB-Locker for "Curve-Tor-Bitcoin". Kaspersky identifies it as "Onion" because it uses the TOR network, Microsoft identifies the malware as Critroni.A.

The Next CryptoLocker

Sinitisyn described Onion as the potential successor to CryptoLocker, and said that other malware used the anonymous TOR network though it was limited to banking malware families such as the 64-bit ZeuS.

Why Second Generation? 5 reasons:

CTB-Locker is the very first Windows ransomware that uses the TOR network for its command & control (c&c) servers which makes it much harder to shut down.
Traffic between the malware that lives on the infected machine and its c&c servers is much harder to intercept.
Onion encrypts files using little-used and super strong Elliptic Curve Diffie-Hellman cryptography which makes decrypting it yourself impossible.
Compresses files before encrypting them
It was built as commercial crimeware, so it can be sold globally to other cybercriminals. The Bitcoin ransom can be specified, as can the extensions of the files that will be encrypted.

This new generation is likely originating from an eastern European country like the Ukraine or Romania, but not Russia. The developers of the early versions of Onion had English-speaking users in view as their primary targets, and English was the only language supported in the GUI. However in more recent versions, Russian also came to be supported in the Trojan's GUI along with English. The fact that the first infections are mainly in Russia means it originated somewhere outside of Russia. Russian cyber crime never hacks in Russia itself because they are immediately arrested and shut down by the Russian security services.

Once a PC is infected with Onion, the ransomware gives the victim detailed instructions on how to pay the Bitcoin ransom. Here is how the locking screen looks:

onion3 FS final eng 2 sm resized 600

The fact that other cybercriminals are going to use this code will make it certain that the U.S. will be heavily targeted. Symantec's Internet Security Threat Report mentioned on page 6:

Ransomware attacks grew by 500 percent in 2013 and turned vicious
Scammers continued to leverage profitable ransomware scams where the attacker pretends to be local law enforcement demanding a fake fine of between $100 to $500.
First appearing in 2012 these threats escalated in 2013, and grew by 500 percent over the course of the year.

A link to the report is here.

More than ever it is needed to step your users through effective security awareness training before their files (or all the others on the file server) are being taken ransom. And (very obviously) you need excellent backup/restore software and test that frequently. KnowBe4 guarantees you that once all your users are trained and receive a simulated phishing attack once a month, we will pay your crypto-ransom if you get hit.