The Internet just became way more treacherous with the news that ransomware has taken on an even more treacherous guise.
Kaspersky Lab has uncovered a new version of the notorious malware, known as “Onion”, and it uses the Tor dark-web browser in order to “to hide its malicious nature, and to make it hard to track those behind this ongoing malware campaign”.
Onion is a successor to the Cryptolocker ransomware that wreaked havok across the world as users infected by the malware were asked to hand over hundreds of pounds in the form of the virtual currency Bitcoin.
The new malware, which currently only affects Windows PCs, encrypts files in the same way as Cryptolocker and starts a similar countdown that lasts for 72 hours by which time all the files are deleted forever if a ransom isn’t paid.
Originating in Russia, it differs from Cryptolocker as the cybercriminals are using Tor to change the way it communicates with the “command and control” server that accepts payment and releases the decryption codes required to access the files.
“Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server,” stated Fedor Sinitsyn, senior malware analyst at Kaspersky, according to The Guardian. “All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there.”
Security researchers are worried that the protection afforded by Tor gives Onion a step up on Cryptolocker and makes it a far greater threat that its older sibling.
Onion isn’t the first piece of malware to use Tor as a layer of protection with the Zeus malware that attacked banking infrastructure able to do so back in 2013 and the way the security industry handles Onion will be critical to Tor’s future use by cybercriminals.