Friday, 30 January 2015 17:56

Cyber Criminals Increasingly Use Anonymizing Tools for Ransomware Infrastructure Featured

Recent FBI investigations reveal that ransomware authors continue to improve ransomware code by using Tor hidden services for end-to-end communication and bitcoin to collect ransom payments. The increase in sophistication is likely due to lessons learned by cyber criminals following the FBI seizure of Cryptolocker domains and backend servers in late May 2014.

First identified in late April 2014, CryptoWall was the first ransomware variant to accept payment exclusively in bitcoins. CTB - Locker, which was released in mid - June 2014 (after Cry ptoWall) , also requires ransom payment exclusively in the form of bitcoins. The operators of CryptoWall also use numerous bitcoin addresses to receive victim payments and route transactions through multiple addresses. The fund flow pattern and the use of an unregistered exchanger concealing its true location hinder efforts to trace the victim payments to their final destination.

At the end of July 2014, a more sophisticated variant of CryptoWall, CryptoWall v2, emerged. The new variant uses a modified Tor executable to communicate with up to three Tor hidden service C2 servers hardcoded into the program. The modification was likely to remain competitive with newer malware variants like CTB - Locker. CryptoWall victims are provided with an Internet Web address where they can access the ransom payment page, decrypt one file as proof that their files can be recovered, or contact CryptoWall support. The URL for this site is a Tor hidden service; however, the actors provided a Tor bridge, which allows victims to access the Tor site via the Internet. CTB - Locker is the first ransomware to use Tor for its C2 infrastructure. CTB - Locker uses Tor exclusively for its C2 servers and only connects to the C2 aft er encrypting victims’ files.

Additionally, unlike other ransomware variants that utilize the Tor network for some communication, the Tor components are embedded in the CTB - Locker malware, making it more efficient and harder to detect


Precautionary measures to mitigate ransomware threats include:

Ensure anti-virus software is up-to-date.

Implement a data back - up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location.

Backup copies of sensitive data should not be readily accessible from local networks.

Scrutinize links contained in e-mails, and don’t open attachments included in unsolicited e-mails.

Only download software - especially free software - from sites you know and trust.

Enable automated patches for your operating system and Web browser