Ransomware: Hello Critroni and Goodbye Cryptolocker

Cryptolocker may have lost the crown, but there is an army of variants trying to encrypt your client’s files and claim the throne as King of all Ransomware.

Cryptolocker rocketed to prominence in late 2013, encrypting files on victim’s computers and demanding payment in Bitcoins to unlock them. The ransomware extorted up to $30 million from victims in 100 days, according to one estimate.

Last month, the U.S. Justice Department announced the seizure of computer servers central to Cryptolocker’s operation. Court documents highlight government attorneys reporting on July 11 that Cryptolocker’s infrastructure is “dismantled” and “no longer capable of encrypting newly infected computers.”

Is Cryptolocker dead?

At least one security researcher, Tyler Moffit of Webroot, says it is not time to bust out the party hats. He notes in his recent post, Cryptolocker is not dead:

“It is only the samples dropped on victims computers that communicated to those specific servers seized that are no longer a threat. All samples currently being deployed by different botnets that communicate to different command and control servers are unaffected by this siege – the majority of encrypting ransomware.”

What this means: the old Cryptolocker is dead, but a new variant could rise from the grave. Even if Cryptolocker returns, it could find another brand of ransomware sitting in its throne.

Critroni wants the throne

Critroni is a similar type of ransomware that went on sale in underground forums in June, according to Infosecurity, just days after the Department of Justice announced its takedown of Cryptolocker.

Critroni is also called CTB-locker for Curve/Tor/Bitcoin. As with Cryptolocker, Critroni encrypts files on a victim’s computer and demands a payment in Bitcoins to decrypt them.

It differs from its predecessor in several ways, according to Threatpost and PCWorld:

Communicates with command-and-control infrastructure via the Tor anonymity network. This makes it harder to identify and shut down the ransomware’s servers.

The author of the ransomware claims that it encrypts victims’ files before attempting to contact its command-and-control system. If true, then seizing the ransomware’s servers will not prevent files from being encrypted on newly infected computers, nor will blocking Tor traffic.

For victims who do not own Bitcoins, the malware provides detailed instructions on how to acquire them in various countries

If a victim’s infected machine cannot connect to the attacker’s server to send payment, the malware provides instructions to go to another PC, download the Tor browser, and connect to the attacker’s server to complete the transaction.

Block all ransomware

Critroni is one of hundreds of thousands – if not millions – of ransomware variants. Rather than playing malware wack-a-mole, IT providers should protect their clients by securing their networks from a broad range of threats before they strike.

Here are helpful tips on how to prevent and mitigate exposure to Cryptolocker from our blog post on the topic:

Backup - Maintain backups onsite and offsite. Test them often. Ensure they are configured to prevent backup of infected files

Limit - Classify data and limit access to important files.

Update - Maintain updates for your anti-virus, system, and applications.

Educate - Explain to clients the dangers and warning signs of phishing emails and suspicious attachments. Our partner Third Tier has a great alert email you can send to clients.

Tweak - Use software restriction policies to block the malware from infecting Windows-based systems. For details, check Third Tier’s Cryptolocker prevention kit.