Kaspersky Lab has uncovered a type of encrypting ransomware that attempts to hide its malicious nature.
Dubbed “Onion,” because it uses the anonymous network Tor (the Onion Router) to make it hard to track, it encrypts user data and then demands ransom for decryption.
Kaspersky Lab senior malware analyst, Fedor Sinitsyn, said the malware demonstrates how Tor has become a proven tool and is being implemented into other types of malware.
“The Onion malware features technical improvements on previously seen cases where Tor functions were used in malicious campaigns,” he said.
This new malware, which uses a countdown mechanism to scare victims into paying for decryption in Bitcoins, is described by Sinitsyn as the potential successor to Cryptolocker.
Users affected by the ransomware are warned to pay up within a 72-hour deadline or all the files will be lost forever.
The new normal
The Onion transfers secret data and payment information with command and control servers within an anonymous network.
Sinitsyn said this kind of communication architecture existed in the past, though it was limited to banking malware families such as the Tor-enhance 64-bit ZeuS.
“Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals,” he said.
“The use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server.”
Sinitsyn said these characteristics add up to a “highly dangerous threat,” as well as one of the “most technologically advanced encryptors” in existence today.
Patrick Budmar covers consumer and enterprise technology breaking news for IDG Communications. Follow Patrick on Twitter at @patrick_budmar.