Critroni, a sophisticated ransomware which uses Tor Network as C&C

Pierluigi Paganini July 19, 2014

A security researcher has detailed Critroni ransomware, a new sophisticated malware which is being sold in different underground forums.

In 2013 ransomware were among the menaces that monopolized the threat landscape, malware such as Cryptolocker infected hundreds of thousand machines worldwide.

Critroni (aka CTB-Locker) is the name of the last ransomware which captured the attention of security experts, the malware is being sold in different underground forums in the last weeks and recently it has been included in the Angler exploit kit.

A detailed analysis of the ransomware was posted on “” by the French security researcher Kafeine.

Critroni implements many functionalities that makes it a ransomware out of the ordinary, for example, it uses of the Tor network to host its command and control.

“Placing a server in onion-domain (TOR), close to domain abuse can not be practically impossible to trace the owner and shut down the server. 

Connection to the server only after encryption of all files. Early Detection is not possible on the traffic, it is impossible to block the work of the locker. Blocking TOR prevents only payment the user, not the program. Analogs are connected to the server until the crypt and can block. ”  states the adv for the malware.

The diffusion of ransomware like Critroni was advantaged by the takedown of the GameOver Zeus operated by law enforcement in a multinational effort, the botnet in fact was used by cyber criminals to serve CryptoLocker ransomware.

Around the same time in mid-June, security researchers began seeing advertisements for the Critroni ransomware on underground forums, the malware is offered for around $3,000. Critroni was initially spread exclusively in Russia, but actually its infections have been observed in other countries. Several criminal gangs are using the ransomware Critroni, in many cases served through the Angler exploit kit which drops a spambot on victims’ machines. The spambot module is used by malware authors to drop a couple of other payloads, one of them is Critroni.

As many other ransomware, Critroni encrypts a variety of files on the victim’s PC and then displays a dialogue box that demands a payment in Bitcoins in order to decrypt the files.

“Persistent cryptography based on elliptic curves. Decrypt files without payment impossible. Equivalent resistance RSA-3072, exceeding all analogs. At the same encryption speed is much higher. “

Critroni ransomware 2

Victims have to pay the ransom within 72 hours, in the case that haven’t any Bitcoins, the ransomware provides some detailed instructions on how to acquire them.

Also other security firms have detected the malware, Kaspersky Lab researchers are working on this ransomware, which they identified as Onion Ransomware, the results of their investigation will be released next week.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

Security Affairs –  (Critroni , ransomware)

[adrotate banner=”5″]

[adrotate banner=”12″]

you might also like

leave a comment