



Details of Critroni Ransomware

How it works





Kaspersky Lab is working on Critroni and they have named the ransomware as Onion Ransomware. Kaspersky says that, the research paper will be public in next weeks. So coming week we can have more information about the Critroni ransomware.





Payment Process

Another new crypto ransomware know asis being sold in underground forums from last month or so and is now being dropped by the Angler exploit kit. This ransomware have some unique features that researcher have not seen on earlier crypto ransomware. The most interesting features ofThe attack of ransomware malware have been active from last year, and we have seen many of the ransomware incidents, specially the Crypto Locker. As CryptoLocker have the ability to encrypt all the files and data on the infected computers and ask ransomware in order to unlock it.Currently Critroni ransomware is selling for $3,000 in underground forums and researchers says that it is using by numbers of attackers. Many of the attacker is using Angler exploit Kit to spread the spambot on the victim machine. The Spambot then downloads couples of other payloads and with Critroni into the victim machine. Critroni is currently available in English and Russian language, so these language relating countries have more number of infected users.According to the French security researcher who uses the handle, is analyzing the threats , the a users get infected by Critroni ransomware, it encrypts all the files and data (such as doc files, videos, photos ) of the infected computer. After that is display the dialog box informing the users about the infection and demands a ransom in Bitcoin in order to decrypt the files. Critroni gives 72 hours to the users to pay. Additionally, for those users who don't have bitcoins, Critroni ransomware provides a helpful tips on how to get the Bitcoins.As already says, Critroni ransomware unique features is that, it uses TOR hidden network for the command and control, which is been not seen in any of the earlier crypto ransomware.“It uses C2 hidden in the Tor network. Previously we haven’t seen cryptomalware having C2 in Tor. Only banking trojans,” said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. “Executable code for establishing Tor connection is embedded in the malware’s body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware’s body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general.”Critroni is nicknamed CTB-Locker, for Curve/Tor/Bitcoin. If a victim’s infected machine can’t connect to the attacker’s server in order to send the Bitcoin payment, the ransomware provides instructions for him to go to another PC and download the Tor browser bundle and then connect to the attacker’s Tor server to complete the transaction.