Warning: Next-Gen 'Onion' PC Ransomware Highly Dangerous

Written by Alex Zaharov-Reutt      29/07/2014 | 14:53 | Category: SECURITY & SUPPORT

Kaspersky Lab has peeled back layers from Tor, 'The Onion Router', and has discovered one of the most dangerous and advanced ransomware file encryptors for Windows PC users ever made.

Warning: Next-Gen
Malware writers may well be making a massively handsome profit from a new breed of "encrypting" ransomware, but Internet security firms like Kaspersky Lab are striking back and deconstructing the newest malware threats. 

The latest malware discovery is dubbed "Trojan-Ransom.Win32.Onion" by Kaspersky Lab, and is informally known as "Onion" ransomware because it uses the so-called anonymous Tor 'The Onion Router' network to hide its malicious nature and make its creators harder to track. 

Kaspersky Lab say its developers have used "proven techniques" from earlier malware versions, such as demanding ransoms be paid in Bitcoin, as well as techniques that are "completely new for this class of malware". 

The security company these new techniques involve the Onion malware hiding its "command and control servers in Tor anonymity network" to complicate the search for its creators, and uses an "unorthodox cryptographic scheme" which makes "file decryption impossible, even if traffic is intercepted between the Trojan and the server". 


Click to enlarge

This means "Trojan-Ransom.Win32.Onion" is incredibly dangerous for Windows PC users and is "one of the most technologically advanced and sophisticated encryptors out there."

A successor to previous notorious encryptors known as "CryptoLocker, CryptoDefence/CryptoWall, ACCDFISA and GpCode", it uses a countdown mechanism to scare victims into paying for decryption in Bitcoins, with the claim of a "strict 72-hour deadline to pay up, or all the files will be lost forever."

The ransomware demands payment of 0.159999 bitcoins, which is approx. AUD $130 at time of publication. 

Fedora Sinitsyn, one of Kaspersky Lab's Senior Malware Analysts said: "Now it seems that Tor has become a proven means of communication and is being utilised by other types of malware. 

"The Onion malware features technical improvements on previously seen cases where Tor functions were used in malicious campaigns. 

"Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there."

To date, most attempted infections have been reported in Russia's CIS (Commonwealth of Independent States), alongside individual cases in Germany, Bulgaria, Israel, the UAE and Libya, with strings of Russian-language text in the interface suggesting Russian cybercriminals are responsible. 

Even so, there is no reason why the malware's creators cannot expand Onion's reach to any Windows-based Tor network users anywhere on the planet. 

Kaspersky Lab's two main recommendations for staying safe are as follows:

- Back up important files: 

The best way to ensure the safety of critical data is a consistent backup schedule. Backup should be performed regularly and, moreover, copies need to be created on a storage device that is accessible only during this process (e.g., a removable storage device that disconnects immediately after backup). 

Failure to follow these recommendations will result in the backed-up files being attacked and encrypted by the ransomware in the same way as the original file versions.

- Antivirus software 

A security solution should be turned on at all times and all its components should be active. The solution's databases should also be up to date.

Kaspersky Lab's full report on the new malware is available at its SecureList site.