OphionLocker, A New Ransomware uses Elliptic Curve for Encryption, Tor for Communication & Malvertising for Propagation

OphionLocker Ransomware uses Elliptic Curve for Encryption, Tor for Communication and Malvertising for Propagation

A new variety of Ransomware has been discovered by Trojan7Malware researchers. Dubbed as OphionLocker, this Ransomware is very unique in the sense that it uses elliptic curve cryptography for file encryption, and Tor for communication.  Another unique signature of OphionLocker is that it uses malvertising campaigns to propagate itself rather then traditional spear phishing methods.

Elliptic Curve Cryptography

Elliptic curve cryptography (ECC) is a public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits ECC cryptography is that it provides same level of encryption with smaller size of keys.

This algebraic form of encryption is based on solving the discrete logarithm of a random elliptic curve element. This, like the more familiar idea of factoring the product of two very large prime numbers, offer a one-way function to underpin the security of public-key cryptography systems. ECC offers equivalent levels of security with lower key sizes, a particular advantage on systems with limited computing power, such as smartphones.

Working

Once a potential victim has downloaded the malware by visiting a website serving the malvertising code, it encrypts the files available and then uses a Tor2web URL to navigate towards an instruction page on how to pay for getting the decryptor tool. The attackers demand a payment of one Bitcoin for the decryption tool which translates to $350 as per today’s exchange rates. However the price for decryptor tool can change as per the geolocation of the victim. Trojan7Malware has given the following file encryption pattern of this Ransomware which are similar to the file types encrypted by CryptoLocker and TorLocker.

Extensions encrypted;
“accdb”,0,”.ai”,0,”.arw”,0,”.bay”,0,”.blend”,0,”.cdr”,0,”.cer”,0,”.cr2″,0,”.crt”,0,”.crw”,0,”.dbf”,0,”.dcr”,0,”.der”,0,”

.dng”,0,”.doc”,0,”.docm”,0,”.docx”,0,”.dwg”,0,”.dxf”,0,”.dxg”,0,”.eps”,0,”.erf”,0,”.indd”,0,”.jpe”,0,”.jpg”,0,”.jpeg”,0,”

.kdc”,0,”.mdb”,0,”.mdf”,0,”.mef”,0,”.mrw”,0,”.nef”,0,”.nrw”,0,”.odb”,0,”.odm”,0,”.odp”,0,”.ods”,0,”.odt”,0,”.orf”,0,”

.p12″,0,”.p7b”,0,”.p7c”,0,”.pdd”,0,”.pdf”,0,”.pef”,0,”.pem”,0,”.pfx”,0,”.ppt”,0,”.pptm”,0,”.pptx”,0,”.psd”,0,”.pst”,0,”

.ptx”,0,”.r3d”,0,”.raf”,0,”.raw”,0,”.rtf”,0,”.rw2″,0,”.rwl”,0,”.srf”,0,”.srw”,0,”.wb2″,0,”.wpd”,0,”.wps”,0,”.xlk”,0,”

.xls”,0,”.xlsb”,0,”.xlsm”,0,”.xlsx”,0,0″

One interesting aspect of this Ransomware is that it tries to be aware of the environment it is working in. If the malware detects a virtual environment, it will not ask for any payment to be made. Virtual environments are generally used by security researchers against malwares such as this one.

Another unique feature of this malware is that it generates a HWID (HardWare Identification) number to ensure only one sample can be generated per PC.

 

The authors/handlers of this malware seem to be using these techniques to hide the Ransomware for as long as possible from the security researchers and also blacklist any PC which they deem has been compromised by the security researchers.

OphionLocker is deadlier then previous ransomware avatars because it doesnt need internet connectivity or user interaction to begin encryption.  This is because the a public key is already present in the payload downloaded by the victim. This makes it harder to detect or to prevent infection.

Ransomware getting more and more stubborn

The propagation and viciousness of these Ransomwares and the handlers/ attackers /authors seem to be getting better and bolder, using more and more complicated encryption techniques. Despite the high profile CryptoLocker takedown, Ransomware remains a deadly threat to the users. The advancement in techniques adopted by the authors of such kind of malware can be notice in OphionLocker which uses a smaller key encryption with elliptic curve cryptography and the anonymity network Tor for communication with its command and control server.

Resource : Trojan7Malware 

Delwyn Pinto
Delwyn Pinto
A person proud to have an alternate view

2 COMMENTS

  1. The malware writers are ahead of most security I see. Hacks all over the place. These criminals manage to stay ahead the latest
    attempts (by the good guys) is a scary thing, why won’t we change our ways.? Instead of being forced into doing something
    we don’t want to. The blackmail of Sony is only one more example of this. Beware the future we are ignoring…

  2. Two things: I would have appreciated more information on the actual attack vector and which systems this is targetting.

    Secondly: nothing is “very unique”. Unique means one-of-a-kind; something is either unique or it isn’t, it can’t be “more” or “very” unique.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Read More

Suggested Post