Malware descriptions

A new generation of ransomware

Elliptic curve cryptography + Tor + Bitcoin

Ransomware is now one of the fastest growing classes of malicious software. In the last few years it has evolved from simple screen blockers demanding payments to something far more dangerous.

The Ransomware class is now based on so-called encryptors – Trojans that encrypt every kind of data that may be of value to the user without his or her knowledge. The data can include personal photos, archives, documents, databases (e.g., databases used in 1C:Enterprise software intended for automation of business activities), diagrams, etc. In order to decrypt these files the criminals demand a payment – often a significant sum. CryptoLocker, CryptoDefence (and its successor CryptoWall), ACCDFISA, and GpCode are some of the most notorious examples. There are also lots of lesser-known families that have spread in Russia and the CIS.

At the end of June 2014 Kaspersky Lab detected a new encryptor. Analysis showed that the Trojan had nothing in common with other known families and a number of features that suggested it was a completely new creation. Its name? CTB-Locker.

This new family is detected by Kaspersky Lab as Trojan-Ransom.Win32.Onion.

This encryption malware belongs to a new generation of ransomware. Its developers used both proven techniques ‘tested’ on its predecessors (such as demanding that ransom be paid in Bitcoin) and solutions that are completely new for this class of malware. Specifically, hiding the command and control servers in Tor anonymity network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes Trojan-Ransom.Win32.Onion a highly dangerous threat and one of the most technologically advanced encryptors out there.

Description

The high-level algorithm used by the malicious encryptor is quite ordinary and is as follows:

  • after launching, the malware copies its body to (CSIDL_COMMON_APPDATA) and adds the task to launch the file to the Task Scheduler;
  • search all the fixed, removable and network drives for files matching a list of extensions (see Figure 1);


Figure 1. Data fragment with a list of file extensions used by the encryptor

  • encrypt the files found;
  • display a window demanding ransom and containing a list of files that have been encrypted. The cybercriminals demand that the user pay ransom in Bitcoins (Figures 2, 3);
  • set an image named AllFilesAreLocked.bmp as desktop wallpaper. The wallpaper informs the user that data on the computer has been encrypted (Figure 4).


Figure 2. Window informing the victim that files on the computer have been encrypted


Figure 3. The cybercriminals’ demands


Figure 4. Image set as desktop wallpaper

So what sets this Trojan apart from dozens of similar malicious programs?

The command server is located within the Tor anonymity network

The sample analyzed has a single static command server address, which belongs to the .onion domain zone.

It is worth noting that this in itself is not ‘innovative’. We have seen similar arrangements in other malware types (discussed, for example, here and here).

However, this is a new development for ransomware. Although some of the ransom Trojans from families detected earlier demanded that the victim visit a certain site on the Tor network, the malware discussed here supports full interaction with Tor without the victim’s input, setting it apart from the others.

This brings us to another feature, which is unique among known malware.

Unusual technical implementation of access to the Tor network

All the previously detected malware, if it communicated to the Tor network at all, did this in an unsophisticated manner: it launched (sometimes by injecting code into other processes) the legitimate file tor.exe, which is available for download on the network’s official website.

Trojan-Ransom.Win32.Onion does not use the existing file tor.exe. Instead, all the code needed to implement interaction with the anonymity network is statically linked to the malicious program’s executable file (i.e., is implemented as part of the malicious code) and is launched in a separate thread.


Figure 5. Pseudocode showing how launching the tor proxy thread is implemented

The code contained inside the thread_tor_proxy procedure is nearly all taken from open sources (Tor is an open-source project).

When connection to Tor has been established and a local tor proxy server has been set up at IP 127.0.0.1 (the port number varies from one infected machine to another and depends on the MachineGuid parameter), the global flag can_complete_circuit is set, which is later checked in the thread thread_post_unlock_data.

As soon as this happens, the malware establishes network communication with this local address, as shown in Figure 6.


Figure 6. Pseudocode showing how network communication with the tor proxy is implemented

A request sent by the malware to the server contains protected data required to decrypt the victim’s files.


Figure 7. Data sent to the command server

In response, the server returns data about the cost of unblocking the user’s files in bitcoins and US dollars, as well as the address of the wallet to which the payment is to be made.


Figure 8. Data returned by the command server

Compressing files before encryption

None of the encryptors known before used compression technologies (with the exception of ACCDFISA, which simply adds files to a password-protected rar-sfx archive; however, in this case encryption and compression is not functionality implemented in a malicious program but simply utilization of a ready-made product – WinRAR).

In this aspect of its operation, Trojan-Ransom.Win32.Onion also shows considerable originality. Here is what it does:

  • moves the victim’s file to a temporary file using the MoveFileEx API function;
  • reads temporary file from disk block-by-block;
  • each block is compressed using Zlib, a freely distributed library (procedure deflate());
  • after compression, each block is encrypted and written to disk;
  • service information required for decryption is placed at the beginning of the resulting file;
  • the encrypted file is given the .ctbl extension.

Unusual cryptographic scheme

Cryptomalware most commonly uses a cryptographic scheme based on the AES+RSA combination. In this scheme, the server generates a pair of keys – rsa-public + rsa-private – for RSA, which is an asymmetric encryption algorithm. The private key, rsa-private, remains on the server, while rsa-public is sent to the malware. Next, the malware generates a new key – aes-key – for each of the victim’s files, to be used by AES, a symmetric-key block algorithm. Each file is encrypted using AES, then its aes-key is encrypted using RSA (using the rsa-public key) and saved to the file.

Since the scheme uses asymmetric encryption, nobody can decrypt the file without having the rsa-private key, which never left the cybercriminals’ server.

However, Trojan-Ransom.Win32.Onion has used an unusual approach yet again!

The sample uses the asymmetric cryptographic protocol known as ECDH – Elliptic curve Diffie–Hellman.

Elliptic curve Diffie-Hellman

The original Diffie-Hellman algorithm (the so-called key exchange method or shared-secret protocol) was developed some time ago and published in 1976 by famed cryptographers Whitfield Diffie and Martin Hellman. A modification of the algorithm which uses elliptic curves was published later in 2000, in a Certicom Research article, Standards for efficient cryptography, SEC 1: Elliptic Curve Cryptography.

A detailed description of the protocol is beyond the scope of this publication, so we are going to drop the details and describe the main principles that will be helpful in understanding how the malware operates.

  • A pair of keys – private and public can be generated.
  • The so-called shared secret can be generated from your private key and the other party’s public key.
  • If the two parties have exchanged public keys (the private keys are not exchanged!) and each has independently calculated the shared secret from the other party’s public key and its own private key, both parties will get the same value.
  • The resulting shared secret can be used as a key for any symmetric encryption algorithm.

The authors of Trojan-Ransom.Win32.Onion used an existing implementation of this cryptographic algorithm, a description of which is available on the Internet.

The high-level cryptographic scheme used by Trojan-Ransom.Win32.Onion is as follows.

Key generation:

  • the malware generates the pair master-public (public key) + master-private (private key);
  • master-private is sent to the server securely along with other data. It is not saved on the client (fact I);
  • for each file to be encrypted, a new key pair is generated – session-public + session-private;
  • the shared secret is calculated: session-shared = ECDH(master-public, session-private).

Encrypting a file belonging to the victim

  • the file is compressed using the Zlib library;
  • after being compressed with Zlib, each file is encrypted using AES, with the hash SHA256 (session-shared) used as the key;
  • after encryption, the session-public key is saved in the file (fact II), while session-private is not saved (fact III);
  • the shared secret calculated – session-shared – is not saved, either (fact IV).

Decrypting a file belonging to the victim

The Diffie-Hellman protocol is designed in such a way that the following equality is true:

ECDH(master-public, session-private) = session-shared = ECDH(master-private, session-public) (fact V)

The above equality defines the underlying principle on which the operation of Trojan-Ransom.Win32.Onion is based.

Provided that the Trojan has not saved session-private (see. fact III) and session-shared (see. fact IV), only one decryption method remains – calculating ECDH(master-private, session-public). This requires the master-private key (sent to the cybercriminals’ server, see fact I) and session-public key (saved in the beginning of the encrypted file, see fact II). There are no other ways to decrypt the file, which means that the file cannot be decrypted without the master-private key.

Securing connection with the command server

The key sent to the server might be intercepted, but unfortunately, this would not be sufficient to decrypt the victim’s files. This is because the malware writers have used the same asymmetric protocol, ECDH, to protect their traffic, albeit with a separate, dedicated set of keys.

  • the malicious program’s body contains the public key, network-server-public;
  • when establishing a connection, the malware generates a new pair of keys: network-client-public + network-client-private;
  • the malware calculates the shared secret network-shared = ECDH(network-client-private, network-server-public);
  • the malware encrypts the data being sent using AES with SHA256(network-shared) used as the key;
  • the public key network-client-public is sent to the server in an unprotected form (fact VI);
  • the client keys, network-client-public + network-client-private, as well as the shared secret network-shared, are not saved (fact VII).

The cybercriminals have the key network-server-private and receive the key network-client-public from the client (see fact VI). As a result, they can decrypt the data received. To do this, they have to calculate network-shared = ECDH(network-client-public, network-server-private).

Without having network-server-private, this value cannot be calculated (see fact VII). As a result, unfortunately, intercepting traffic will not provide master-private, without which the victim’s file cannot be decrypted.

Propagation

The creators of the early versions of Trojan-Ransom.Win32.Onion had English-speaking users in view as their primary targets, so English was the only supported GUI language.

In the more recent versions, however, Russian also came to be supported in the Trojan’s GUI along with English. The piece of malware also underwent some visual refurbishments, such as a countdown displayed to intimidate the user. The new Russian GUI and, more specifically, certain strings within the Trojans’ body give us ground to assume that its creators are Russian speakers.

The analysis of how Trojan-Ransom.Win32.Onion penetrates victim computers has shown that it is different (once again) in this respect from most other encryptors that are active today. For many known ransomware programs, the main propagation vectors are spam messages with malware in an attachment, or brute forcing weak passwords and launching a file via remote administration tools.

The propagation method

We established that the bot Andromeda (detected as Backdoor.Win32.Androm by Kaspersky Lab products) receives a command to download and run another malicious program from the Email-Worm.Win32.Joleee family to the victim computer. The latter is primarily a malicious tool for sending spam emails, but it can also execute a number of commands from the cybercriminals, including the command to download and launch an executable file. It is actually Joleee that downloads the encryptor to the infected computer.

Trojan-Ransom.Win32.Onion‘s propagation procedure is presented in the following flowchart.


Figure 9. Trojan-Ransom.Win32.Onion’s propagation scheme

Global distribution

Below are the infection statistics as of July 20, 2014. Most attempted infections took place in the CIS, while there were individual cases recorded in Germany, Bulgaria, Israel, the United Arab Emirates and Libya.

Trojan-Ransom.Win32.Onion was detected in the following countries:

Country Number of users attacked
Russia 24
Ukraine 19
Kazakhstan 7
Belarus 9
Georgia 1
Germany 1
Bulgaria 1
Turkey 1
United Arab Emirates 1
Libya 1

Please note that the above numbers are provided for the verdict “Trojan-Ransom.Win32.Onion” only. The number of users attacked by the encryptor is in fact greater, as malicious packers with different verdicts are used to spread the malware. Unknown samples of the encryptor are also proactively detected by Kaspersky Lab products as “PDM:Trojan.Win32.Generic”. This data is not included into the statistics above.

Recommendations for staying safe

Backup copies of important files

The best way to ensure the safety of critical data is a consistent backup schedule. Backup should be performed regularly and, moreover, copies need to be created on a storage device that is accessible only during this process (e.g., a removable storage device that disconnects immediately after backup). Failure to follow these recommendations will result in the backed-up files being attacked and encrypted by the ransomware in the same way as the original file versions.

Backup procedures must be in place for any systems containing files of any appreciable importance. Even if no malware threats arise, remember – no one is completely secured against a commonplace hardware failure.

Security solutions

Your security solution should be turned on at all times and all its components should be active. The solution’s databases should also be up to date.

Kaspersky Lab products detect this threat based on its signature with the verdict Trojan-Ransom.Win32.Onion.*. Unknown modifications are detected heuristically with the verdict HEUR:Trojan.Win32.Generic, or proactively with the verdict PDM:Trojan.Win32.Generic.

In addition, Kaspersky Lab products incorporate the Cryptomalware Countermeasures technology which is capable of protecting user data even from unknown encryptors for which there are still no signatures or cloud-based data available. This technology is based on the principle of creating protected backup copies of personal files as soon as a suspicious program attempts to access them. The technology will automatically restore the file even if it is encrypted by malware. For this technology to operate, the System Watcher component must be enabled in the Kaspersky Lab product settings.

A new generation of ransomware

Your email address will not be published. Required fields are marked *

 

  1. Don T.

    All of my files have been encrypted. I don’t know what to do next. I have included a copy of the message included in all of my folders:
    What happened to your files?
    All of your files were protected by a strong encryption with RSA-2048 using CryptoWall.
    More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

    What does this mean?
    This means that the structure and data within your files have been irrevocably changed, you will not be able to work
    with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.

    How did this happen?
    Especially for you, on our server was generated the secret key pair RSA-2048 – public and private.
    All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
    Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

    What do I do?
    Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
    If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

    For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
    1.https://kpai7ycr7jxqkilp.torminater.com/hwR4
    2.https://kpai7ycr7jxqkilp.torchek.com/hwR4
    3.https://kpai7ycr7jxqkilp.torwinner.com/hwR4

    If for some reasons the addresses are not available, follow these steps:
    1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
    2. After a successful installation, run the browser and wait for initialization.
    3. Type in the address bar: kpai7ycr7jxqkilp.onion/hwR4
    4. Follow the instructions on the site.

    IMPORTANT INFORMATION:

    Your Personal PAGE: https://kpai7ycr7jxqkilp.torminater.com/hwR4
    Your Personal PAGE(using TOR): kpai7ycr7jxqkilp.onion/hwR4
    Your personal code (if you open the site (or TOR ‘s) directly): hwR4

  2. Ioana

    Please,

    can you tell me how I can contact the criminals and MAKE THE PAYMENT in exchange for the key, AFTER THE 72 HOURS’ ?
    thank you!

  3. Agris

    If I understad it right, the CTB-Locker malware HAVE to contact to specific cybercriminals server via TOR network – before it starts encrypt user files). May be it is possible to PREVENT malicious actions (encryption) with FULLY blocking computers ability to connect / use TOR proxies?

  4. sean

    Goto your file(s) and right click on it, select option”rename”. Delete the “.(random ext) that follows original file name and detention. Make sure the original extension is still there then press enter. I found by doing this I was able to access my files. I don’t know why it worked and such, it just did. Hopefully it will work for others. This doesn’t remove the threat. That needs to be done before doing this. Good luck and apologies if this doesn’t work for you.

    1. sean

      Post script. This was done before connecting to for servers. My guess from what I’ve learns, the encryption doesn’t happen until you follow links and connect to tor server. Sorry for grammar errors. Spell correct. 🙂

  5. Milan

    Hi to everyone, first i must aplogize because my english is not fluid. I have serious issue with CBT-Locker. It has managed completely to encrypt our company files on single but very important pc . Then our yong colleague made mistake by installing KIS, so now malware executable is removed. Is there any chance that we can pay to criminals because situation cannot be worst in terms of data. What is the best method to contact Kaspersky Lab experts team for advice … if there is anything clever we can do in this situation …

  6. george

    the encryption does happen before you even are aware of what is happening ! I know, I had it on my PC on 21/1/15 by opening a commercial looking email. My antivirus did not react at all nor other secure programs, nothing special to mention at that moment.
    Only when I went back to the bureau window I saw the mention that I was infected and all personnal files ( .doc
    .jpeg etc etc ) encrypted. They are now called .doc.awzikhc !!! nothing to do ! how could you ever decrypt such a file ? if you go to the TOR server you “should maybe” get the code for decrypt but after paying in bitcoin …. Rename the files doesn’t work at all !! going to a restore point doesn’t change your .doc files, the are encrypted forever …. shame !
    criminals you will never find because of TOR connections and other stuff ( bitcoins ).

  7. george

    This happened to me sorry on 20/1/15 ( not 21 ) and I was looking for this CTBlocker everywhere on internet, found this and now follow the evolutions ….
    just want to say I am happy that I did put lots of personnal files on a external hard disk !
    Mind that if I had my external hard disk in contact with my portable PC ( USB ) all files on that disk would also have been
    encrypted !!!

  8. ctb-locker victim

    to recover ctb-locker encrypted files remove the infected hdd and connect it to a machine running linux, you should be able to recover all infected files to their original form. do not move around the encrypted files.

  9. Андрей

    Очень информативная статья, но ничего не сказано о статистике расшифрованных злоумышленниками файлов после получения оплаты. Они действительно расшифровывают файлы или после получения выкупа исчезают?

    1. E K

      Да злоумышленники как-то не торопятся делиться такими данными.

    2. bikeamtn

      @ Андрей – “Very informative article, but nothing is said about the statistics of the files decrypted by the attackers after receiving the payment. Do they really decrypt the files or after disappearing?”

      ‘A Good Question’ (‘Это хороший вопрос’).

  10. PitKoz

    I still have mail which send me this what started process, I have this what was removed to quarantine by security essentials, is there any need for this data, encryptor infected all my files in computer, including pictures of my beloved son who …. is not with me anymore. there is picture and text file with tor address and key to be provided in there, but even this website on tor network is not working. can we help each other? I need this help much…

  11. Visitor

    Can you someone tell me how the cryptolocker is started after infection? Where is main process located, filename or something? All big antivirus companies talking about this virus like a ghost. There must be executable code on infected PC, at least something like downloader in first stage. This code must be masked as valid system application or library. Tell me how it is possilbe that installed antivirus app after warning message fig.4 still say to me that 0 files infected. Yes i see some attackers work in eventviewer, there is that AV app is inpossible to start in standard time manner.

    It looks like the virus is clever and reconfigure BITS to prevent download and apply new patches from MS.

  12. LAM

    You can now add the US to the list of countries where this infection is showing up. I picked up the Tor/Win32/Onion last night by clicking on one of those “other suggested articles” you see at the bottom of the page after you read a news article.

    The .CCC extension has been added to all my personal files. Renaming worked, and the system recognized them as Word files again, however, when I tried to open them, Windows said they are corrupt.

    I did not follow the lengthy list of instructions the MFkrs sent, as I am not stupid enough to download anything a hacker sends me. This tells me the encryption happened immediately after the Malware was installed. Windows defender and the Windows Malicious Software Removal tool can’t see the infection (possibly because I hand deleted some of the download files before I invoked them).

    The only symptom I got was the browser locked up, so I closed it, but advertisement after advertisement kept playing on the speaker even though the browser was closed. I lost valuable time thinking it was an orphaned process.

    I rebooted 3 times, ( once after I disconnected from the internet) but the Trojan has it’s own recovery process imbedded in it.

    I think I am well and truly screwed. I hope whoever planted this gets a nasty STD that rots their private parts off!

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox