New type of ransomware more sophisticated and harder to defeat

Jul 29, 2014 by Bob Yirka weblog
Window informing the victim that files on the computer have been encrypted. Credit: Kaspersky Lab

A new type of ransomware known simply as Onion, has been discovered by Russian based security firm Kaspersky Lab. To force victims to hand over money, the software encrypts stored data files and then uses Tor (anonymity network) to facilitate transfer of funds anonymously. Thus far, the ransomware appears to be restricted mostly to Windows users in Russia and other eastern European countries.

Ransomware is a relatively new development, it's not a virus, per se, but instead is software that runs without permission on a user's computer. In the past, the software would display a full screen message demanding money be sent with instructions on how to do so. The full screen message would, theoretically remain on the screen (even after rebooting) preventing any other applications from running, thus preventing the user from using their computer until they paid up. Antivirus makers quickly developed workarounds for most such ransomware, and authorities discovered the source of most of the software and blocked it from working—in the end the threat was mitigated in most places. Now it appears, its back and this time it's much more sophisticated.

A user is typically attacked when they click on a link in a piece of junk mail. That sets in motion a series of events that leaves the victim stuck with little choice but to pay the ransom. A popup is displayed informing the user that their files have been encrypted (along with a list of files that have been encrypted) and telling them that they must pay in Bitcoins, or else the key to unlock their files will be destroyed, forever preventing the user from regaining access to them.

Using the Tor network makes it nearly impossible for authorities to track down the people behind the malware—also the makers have used an unorthodox encryption scheme that disallows decryption even if the communications traffic is intercepted. Inspection of the code by researchers at Kaspersky Lab revealed the programmer was likely a native Russian speaker.

Thus far computer users impacted by the ransomware have been restricted to those living in Russia and several countries that were formerly part of the Soviet Union. Experts predict it will only be a matter of time, however, before it spreads, thus efforts are underway to subvert the threat and to find those responsible for it. In the meantime, security experts are advising computer users to back up their files onto removable media.

Explore further: Ransomware no cause for New Year celebration: Sophos

add to favorites email to friend print save as pdf

Related Stories

Ransomware no cause for New Year celebration: Sophos

Dec 16, 2013

(Phys.org) —From operating systems on desktops to software and peripherals on smartphones, information thieves have been clever, inventive and successfully stealthy in finding pathways for stealing personal ...

Ransoms paid by two of every five victims of CryptoLocker

Feb 28, 2014

New research from the University of Kent has revealed that around 40% of people who fall victim to an advanced form of malware, known as CryptoLocker, have agreed to pay a ransom of around £300 to recover their files.

Media shock stories about GameOver Zeus are not helpful

Jun 06, 2014

We need to watch out for headlines like the ones earlier this week warning that people had two weeks to protect themselves from a "powerful computer attack". It can end up scaring people who have little idea ...

Recommended for you

HTML5 reaches 'Recommendation' status

17 hours ago

W3C stands for World Wide Web Consortium, and the W3C HTML Working Group is responsible for this specification's progress. As the title suggests, they have a far-reaching job of watching out for the progress ...

Online dating service admits to fake profiles

19 hours ago

A British-based online dating service admitted to US regulators Wednesday that it created fake, computer-generated profiles to lure users into upgraded memberships.

NY voters to decide on digital legislation

Oct 28, 2014

If New York voters approve proposition No. 2 on the ballot next week, their 213 legislators will join the digital age. Their desks in the ornate chambers of the Capitol will have computers instead of thick stacks of bills ...

User comments : 14

Adjust slider to filter visible comments by rank

Display comments: newest first

Dr_toad
Jul 29, 2014
This comment has been removed by a moderator.
Expiorer
1 / 5 (2) Jul 29, 2014
If he uses Tor professionally, nobody will catch him.
kochevnik
1 / 5 (3) Jul 29, 2014
Tor only uses 64 bit encryption. Easy to crack relatively
antialias_physorg
5 / 5 (8) Jul 29, 2014
Easy fix: Don't use Windows. Don't be stupid.

No OS is safe against viruses.
Linux/Unix has a long history of root exploits.
Don't even get me started on Apple OSs.
And Chrome OS willsurely not be without its faults.

That Windows is the most targetted OS doesn't mean the other ones are safe.
These guys want to make money. Of course will they target the OS with the widest distribution first.
dtxx
3 / 5 (2) Jul 29, 2014
Easy fix: Don't use Windows. Don't be stupid.


You should follow your own advice when posting.

In any case, here's what you meant to say: back up important files regularly, and the most this will do is inconvenience you, just like other malware.

btb101
1 / 5 (3) Jul 29, 2014
according to sources TOR was codeveloped with nsa.. so it can be cracked..
antialias_physorg
5 / 5 (5) Jul 29, 2014
" back up important files regularly"

...and make sure to disconnect your backup drive after you're done. Otherwise it'll just get encrypted, too.
ShotmanMaslo
5 / 5 (3) Jul 29, 2014
according to sources TOR was codeveloped with nsa.. so it can be cracked..


It is open source so it does not matter that much who originaly contributed to its development

Tor is not easy to crack
excellentjim
not rated yet Jul 29, 2014
The information in the story is somewhat inaccurate. I had this attack one of my clients (a Utility Company) almost a year ago. We simply Restored the Server to a date before the attack.
Dr_toad
Jul 29, 2014
This comment has been removed by a moderator.
sigfpe
1 / 5 (1) Jul 29, 2014
> Don't even get me started on Apple OSs.

I've been using Macs for many years. I've never run an antivirus product. I've never seen any evidence of virus infection. Most of my friends run MacOSX at home. None of them has ever experienced a virus on their machines. Meanwhile I have to put up with an endless stream of phishing and spam from my friends of family with Windows machines that have been compromised. I was pretty happy when I threw the last Windows machine out of the house. Apple machines are far safer than Windows machines. People who tell me Macs aren't safe from viruses have to stretch things pretty hard with claims like "you could get a Word macro virus".
Kinryu
5 / 5 (3) Jul 29, 2014
>I've been using Macs for many years. I've never run an antivirus product. I've never seen any evidence of virus infection. Most of my friends run MacOSX at home. None of them has ever experienced a virus on their machines. Meanwhile I have to put up with an endless stream of phishing and spam from my friends of family with Windows machines that have been compromised. I was pretty happy when I threw the last Windows machine out of the house. Apple machines are far safer than Windows machines. People who tell me Macs aren't safe from viruses have to stretch things pretty hard with claims like "you could get a Word macro virus".


Used Windows for many years and I have never got a virus either :) We don't need arbitrary cases here, the facts are there exist exploits but OSX only holds 7.4% on the market, it is not really worth the time to find them all. Since Windows has a larger user base it also comes with more inexperienced users that aren't going know what they're getting into.
Arties
5 / 5 (2) Jul 29, 2014
the programmer was likely a native Russian speaker
Just another reason for to love the Russians...
alfie_null
not rated yet Jul 30, 2014
This sort of (mis)use of Tor - if it becomes widespread I can easily imagine movement towards charging operators of Tor nodes as accomplices or otherwise involving them in legal woes. Thus far, little traffic carried on the Tor network makes much negative impression on the public. This changes that.
antialias_physorg
4.3 / 5 (3) Jul 30, 2014
This sort of (mis)use of Tor - if it becomes widespread I can easily imagine movement towards charging operators of Tor nodes as accomplices or otherwise involving them in legal woes.

It's a bit worse than that. It's already come to light that the NSA has put a student in germany on their surveillance list just because he ran a Tor server.
(If you google you will find numerous, politically backed, attempts at sueing Tor. Not to win, but just to drive the people involved into bankruptcy from the legal bills)

One of the more nasty ways to get at Tor is server posioning (i.e. someone in the pay of the NSA et al. sets up a number of Tor servers and tracks what comes through). That's one of the weaknesses in the Tor architecture: You rely on people running the servers being good guys.
pandora4real
not rated yet Aug 02, 2014
Exactly, Toad. It is un-FREAKING-believable that no major news source every says "Microshaft" in these stories. Could you imagine a GM recall for Goodyear tire failures and no story every saying "Goodyear"?

And if you don't get infected using Windoze you're still wasting 50% of your hardware resources running countermeasures and supporting poor memory management, virtually non existent multi-tasking and all manner of proprietary BS.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.