New Ransomware Uses Tor Network

Tuesday, December 16, 2014 @ 11:12 AM gHale

A new piece of ransomware is going out through an exploit kit in drive-by downloads.

Called OphionLocker, the ransomware relies on elliptic curve cryptography (ECC) to encrypt the data on the victimized computer.

RELATED STORIES
Worm Holds Phone for Ransom
Ransomware Rakes in $6M in 6 Months
Malware Steals, Self-Spreads
Ransomware gets an Upgrade

ECC is a public-key cryptographical approach based on two keys, one for locking the data, called public, and one for decrypting the files, called private, generated from the public key.

OphionLocker provides the public key, which is available in the sample, but the private one that can unlock the information ends up generated on the server controlled by the cybercriminal. Because of that, the encryption process can take place even if the infected system is not on the Internet.

Trojan7Malware found OphionLocker as the malware ended up caught in one of their honeypots during a malvertising campaign. It appears the bad guys relied on RIG exploit kit for distribution.

The researchers said, after encrypting the data (documents, databases and images) on the compromised computer, the crypto-malware displays the ransom message.

The message displays in multiple plain text files that become available on the desktop of the system.

According to the researchers, the price for getting the data back has to be in digital bitcoin currency and is set at $358.

However, this “offer” stands for only three days. Unlike in the case of other ransomware with encryption capabilities, OphionLocker does not increase the monetary demands when the time expires. Instead, the bad guys said the private key would end up deleted from their servers unless the bitcoin payment goes to the specified address.

The message provides an address in the Tor anonymity network that can end up accessed via the Tor2web proxy network where the victim can make the deposit in exchange for the private key.

The malware generates a hardware identification number, which the victim must provide at the Tor address.



Leave a Reply

You must be logged in to post a comment.