July 21, 2014, 11:14 AM — Cybercriminals are spreading a new file-encrypting ransomware program that's more powerful and resilient than Cryptolocker, a threat recently shut down by the U.S. Department of Justice.
The new ransomware threat is called CTB-Locker (Curve-Tor-Bitcoin Locker), but Microsoft anti-malware products detect it as Critroni.A. Its creator has been advertising the program to other cybercriminals on Russian-language forums since the middle of June and it seems that he's been trying to fix most of Cryptolocker's faults.
Critroni uses a file encryption algorithm based on elliptic curve cryptography, which its creator claims is significantly faster than encryption schemes used by other ransomware threats. This also makes decrypting the affected files impossible without paying the ransom, if there are no implementation flaws.
Like Cryptolocker, Critroni generates a public and private key pair for every infected system. The public key is stored on the infected computer and given to the victim, who is then asked to pay a ransom in Bitcoin in order to recover the files.
The private key, which is used to decrypt the files, is stored on a remote command-and-control server that, in the case of Critroni, can only be accessed over the Tor anonymity network. This is a precaution that the creator has taken in order to make it difficult for law enforcement agencies or security researchers to identify and shut down the server.
In early June, the DOJ along with law enforcement agencies from several other countries took control of the Gameover Zeus botnet which was distributing the Cryptolocker ransomware. During the operation the authorities also seized the Cryptolocker command-and-control servers.
"Cryptolocker must communicate with its command and control infrastructure in order to encrypt newly infected computers," the DOJ told a Pennsylvania federal court on July 11 in a status update. "As of today, the injunctive relief ordered [...] knocked all of Cryptolocker's infrastructure offline, and has thereby neutralized Cryptolocker."
To prevent a similar takedown Critroni was designed to complete the file encryption operation locally before connecting to the command-and-control server. This also makes it hard for network security products to detect it early and block it by analyzing traffic.
Blocking Tor traffic only prevents the user from paying, not the program from functioning, the Critroni author said in his advertisement.