Cybercrooks have brewed a strain of ransomware that uses elliptic curve cryptography for file encryption, and Tor for communication.
The malware, dubbed OphionLocker, is spreading using a malicious advertising (malvertising) campaign featuring the RIG exploit kit.
The ransomware encrypts files of particular types on infected systems before using Tor2web URL as a conduit for instructions on how to send the payment and obtain the decryptor tool. The extortionists are asking for a payoff of 1 BTC ($352 at current rates of exchange).
F-Secure reports that if the infection happens on a virtual environment NO ransom payment is requested for a "decryptor tool", which (perhaps unsurprisingly) doesn't work. Virtual environments are commonly used by anti-malware researchers.
The tactic of treating them differently appeared geared towards making analysis that bit more difficult, something ultimately aimed at prolonging the longevity of the scam.
Despite the high profile CryptoLocker takedown, ransomware scams remain an all-too-real threat. Crooks are developing more sophisticated encryption schemes to support their fraud. The use of Tor and elliptic curve cryptography places OphionLocker in the top tier of such scams, but is not unprecedented.
A previous strain of ransomware, CTB-Locker, pioneered the use of elliptic curve cryptography for file encryption and Tor for communication with a command and control server.
OphionLocker was first spotted by Trojan7Malware. ®
Elliptic curve cryptography (ECC) is a form of encryption based on solving the discrete logarithm of a random elliptic curve element. This, like the more familiar idea of factoring the product of two very large prime numbers, offer a one-way function to underpin the security of public-key cryptography systems.
ECC offers equivalent levels of security with lower key sizes, a particular advantage on systems with limited computing power, such as smartphones.