Onion Ransomware News: Improved Version of CTB-Locker Emerges

New version of CTB-Locker, a ransomware that uses Tor and Bitcoin to evade detection and takedowns, should be avoided at all costs.

A new variant of the Onion ransomware has emerged, though you might see it referred to as CTB-Locker or Citroni.

Whatever you decide to call it, CTB-Locker is a Cryptolocker-like piece of malware that encrypts all the files on its host machines and demands a ransom payment in order to decrypt those files.

CTB-Locker, or Curve Tor Bitcoin Locker, differs from other ransomware in that it uses The Tor Project’s anonymity network in order to shield itself from takedown efforts that rely largely on static malware command and control servers. Its use of Tor also helps it evade detection and blocking. Another thing that protects CTB-Locker controllers is accepting only the decentralized and largely anonymous crypto-currency known as Bitcoin.

All this makes CTB-Locker a highly dangerous threat and one of the most technologically advanced encryptors out there.

“Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server,” Fedor Sinitsyn, a senior malware analyst at Kaspersky Lab told the Daily last year. “All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there.”

The new version of CTB-Locker — known to Kaspersky Lab products as Trojan-Ransom.Win32.Onion — contains some interesting upgrades, according to Sinitsyn. As is increasingly the case, it offers its victims a sort of ‘trial demo’ whereby the infected can choose five files to decrypt without paying the ransom. It’s also available in three new languages: German, Dutch, and Italian. CTB also evades research efforts by detecting virtual machines that researchers use to safely analyze malware and not executing in those environments. Instead of connecting directly to Tor, CTB proxies itself through six additional anonymization services in order to further complicate tracking and takedown efforts.

The best line of defense against this and other threats is to have backed up your machine yesterday (and to back it up again next week). You also need to run a strong antivirus product and make sure all of your software, operating systems, and applications are up to date with the latest patch installations. Once you become infected, there is no way to recover the files encrypted by CTB-locker. You could pay the ransom, but despite the fact that cybercrime is an increasingly professional and customer service oriented business, there is no guarantee that you will ever receive the key to decrypt your files.

Like it or not, ransomware is big business and its only likely to become a bigger problem moving forward as more of our daily lives and belongings are incorporated into the so-called “Internet of Things.” 

Thus far, the Kaspersky Security Network has seen some 361 attempts at infection, mostly in Russia and Ukraine. Users of Kaspersky Lab products are specifically protected from this and other encryption malware, unless they have the “System Watcher” feature disabled. System Watcher works by immediately making locally protected backup copies of user files when suspicious programs access them. Please make sure you have this module running.

TL; DR: Kaspersky users are protected while they keep System Watcher on. If you are already infected, the only way to get your files back is to pay the ransom, though there’s no guarantee you will receive them even if you pay. World’s tough.