The encyprypting ransomware is called 'Onion' due to the fact it uses the anonymous network Tor (the Onion Router) in a bid to hide its malicious nature, and to make it hard to track those behind this ongoing malware campaign," according to Kaspersky.
Onion is being described a successor to the Cryptolocker ransomware, which we reported on last year, that wreaked havok across the world as users infected by the malware were forced to hand over bucketloads of money in Bitcoin form to keep their data.
The new malware, which currently only affects Windows PCs, encrypts files in the same way as Cryptolocker and starts a similar countdown that lasts for 72 hours by which time all the files are deleted forever if a ransom isn’t paid.
Kaspersky Lab senior malware analyst, Fedor Sinitsyn, said the malware demonstrates how Tor has become a proven tool and is being implemented into other types of malware.
“The Onion malware features technical improvements on previously seen cases where Tor functions were used in malicious campaigns,” he said.
“Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server,” stated Fedor Sinitsyn, senior malware analyst at Kaspersky.
"All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there."
The Onion transfers secret data and payment information with command and control servers within an anonymous network.
Sinitsyn said this kind of communication architecture existed in the past, though it was limited to banking malware families such as the Tor-enhance 64-bit ZeuS. He said these characteristics add up to a “highly dangerous threat,” as well as one of the “most technologically advanced encryptors” in existence today.
Kaspersky says that by looking at the certain strings within the body of the malware - along with the recent release of a Russian language GUI - this gives them "ground to assume that its creators are Russian speakers".
The first version of the Onion ransomware was targeting English-language users, with the splash screen which is set as the computer's default desktop wallpaper written in English.
The malware demands payment of 0.159999 bitcoins (approximately $130 AUD), giving users 72 hours to pay up or risk losing data forever.
Kaspersky recommends "your security solution should be turned on at all times and all its components should be active. The solution's databases should also be up to date." For more see the Kaspersky post in question here.