Mystery 'Onion/Critroni' ransom Trojan evolves to use more sophisticated encryption

Tries out more efficient Elliptic Curve Diffie-Hellman

Kaspersky Lab has added more detail on the fiendish 'Onion' (aka 'Critroni') ransom Trojan that uses the Tor anonymity service to hide its command and control (C&C) as well as displaying a level of thoughtfulness about its encryption design that bodes ill for future attacks.

CryptoLocker was bad but with the program that kicked off the peak of the ransom malware age now largely neutered thanks to police intervention the criminals have already moved on to the next set of innovations.

As Kaspersky researcher Fedor Sinitsyn explains, recent crypto malware will use a cunning mixture of public key (i.e. asymmetric) RSA encryption to generate a primary key used to encrypt the AES (i.e symmetric) key used to scramble each file on a victim's system.

That's already quite a grown-up if logical way to attack a user's PC because it means that even with huge amounts of processing horsepower the symmetric key can't be attacked because anyone doing this will first have to get hold of the criminal's private key.

Onion could have used RSA or Diffie-Hellman for the public key encryption part of its nastiness but the criminals behind it decided to showboat a bit and use the more advanced Elliptic Curve Diffie-Hellman (ECDH) instead. The significance of this? Kaspersky's blog on the topic dodges that but the over-riding reason must have something to do with the key efficiency of elliptic curve.

Securing a 128-bit AES key using RSA would ideally require a 3,072-bit key; doing the same using ECDH drops that to 256-bits. Put another way, the same level of security can be reached with fewer cycles. The temptation for anyone exploiting this aspect of ECDH would be, one assumes, to ramp up the key sizes to boost security even further.

Or it could be that the criminals are testing their smarts for a new generation of crypto malware that will up the ante to silly levels far beyond law enforcement. That suggests a wider interest beyond conning consumers and small businesses out of a heap of Bitcoins, the currency demanded by Onion.

To make matters worse, the designers of Onion repeated this ECDH design when encrypting the traffic to and from their server which itself is hosted inside Tor. Using Tor is to cover C&C is not new for botnets although none of the common ransom Trojans have tried this approach until Onion appeared.

There are pros and cons to this. Tor should in theory slow down to the to and fro of traffic but it also buys some time. Researchers will take a lot longer to trace C&C servers if they are hidden within Tor and for the criminals that is worth a lot for a business built on milking victims in days and weeks rather than months.

"Now it seems that Tor has become a proven means of communication and is being utilised by other types of malware," said Sinitsyn, who believed that its use had proved successful.

"Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server, he added.

"All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there."

So far, the Trojan seems to have been picked up at a relatively early part of its release so it is not invulnerable. The number of infected system in a handful of countries numbered only a few dozen, the firm said, although different variants probably also existed.

Ransom and encryption-based malware is going through a boom right now, spurred on by the toxic legacy of CryptoLocker's success. When that was disrupted in June, police said that it might return in time. A more disturbing possibility is that it won't return at all but a clutch of skilled imitators will.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techsecuritykaspersky lab

More about AES EnvironmentalKasperskyKasperskyRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place