Stealthy ransomware 'Critroni' uses Tor, could replace Cryptolocker

The Cryptolocker takedown led to a better designed, more resilient ransomware threat

Cybercriminals are spreading a new file-encrypting ransomware program that's more powerful and resilient than Cryptolocker, a threat recently shut down by the U.S. Department of Justice.

The new ransomware threat is called CTB-Locker (Curve-Tor-Bitcoin Locker), but Microsoft anti-malware products detect it as Critroni.A. Its creator has been advertising the program to other cybercriminals on Russian-language forums since the middle of June and it seems that he's been trying to fix most of Cryptolocker's faults.

Critroni uses a file encryption algorithm based on elliptic curve cryptography, which its creator claims is significantly faster than encryption schemes used by other ransomware threats. This also makes decrypting the affected files impossible without paying the ransom, if there are no implementation flaws.

Like Cryptolocker, Critroni generates a public and private key pair for every infected system. The public key is stored on the infected computer and given to the victim, who is then asked to pay a ransom in Bitcoin in order to recover the files.

The private key, which is used to decrypt the files, is stored on a remote command-and-control server that, in the case of Critroni, can only be accessed over the Tor anonymity network. This is a precaution that the creator has taken in order to make it difficult for law enforcement agencies or security researchers to identify and shut down the server.

In early June, the DOJ along with law enforcement agencies from several other countries took control of the Gameover Zeus botnet which was distributing the Cryptolocker ransomware. During the operation the authorities also seized the Cryptolocker command-and-control servers.

"Cryptolocker must communicate with its command and control infrastructure in order to encrypt newly infected computers," the DOJ told a Pennsylvania federal court on July 11 in a status update. "As of today, the injunctive relief ordered [...] knocked all of Cryptolocker's infrastructure offline, and has thereby neutralized Cryptolocker."

To prevent a similar takedown Critroni was designed to complete the file encryption operation locally before connecting to the command-and-control server. This also makes it hard for network security products to detect it early and block it by analyzing traffic.

Blocking Tor traffic only prevents the user from paying, not the program from functioning, the Critroni author said in his advertisement.

The new ransomware program initially targeted Russian-speaking users, but variants seen lately also display the ransom message in English, suggesting that the threat is now distributed more widely, said an independent malware researcher known online as Kafeine in a blog post Friday. "It seems to be a strong, well thought piece of malware."

Despite the DOJ's success against Cryptolocker, not all security researchers believe that the threat is dead. The DOJ's claim that the threat has been neutralized should be scrutinized because the seizure of command-and-control servers only impacted Cryptolocker samples distributed by the Gameover Zeus botnet, said Tyler Moffitt, a security researcher at Webroot in a blog post Thursday. "All samples currently being deployed by different botnets that communicate to different command and control servers are unaffected by this siege."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags U.S. Department of JusticeWebrootsecurityencryptionmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?