OphionLocker: Joining in the Ransomware Race
Revision as of 14:20, 14 December 2014 by Eric.freyssinet (talk | contribs) (Created page with "{{Publication |Year=2014 |Date=2014-12-12 |Editor=F-Secure |Link=https://www.f-secure.com/weblog/archives/00002777.html |Type=Blogpost |Abstract=Last August, we blogged about...")
(Publication) Google search: [1]
OphionLocker: Joining in the Ransomware Race | |
---|---|
Botnet | |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2014 / 2014-12-12 |
Editor/Conference | F-Secure |
Link | https://www.f-secure.com/weblog/archives/00002777.html (Archive copy) |
Author | |
Type | Blogpost |
Abstract
“ Last August, we blogged about a series of Ransomware that included SynoLocker and CryptoWall. In our Cryptowall blogpost, we briefly mentioned the more advanced family of ransomware CTB-Locker, which uses elliptic curve cryptography for file encryption and Tor for communication with the command & control server.
This week, another ransomware emerged using the same cryptography for encryption. It was first spotted by Trojan7Malware from a malvertising campaign that used RIG exploit kit. They dubbed the malware as OphionLocker.
Upon infection, this malware uses a Tor2web URL for giving instructions on how to send the payment and obtain the decrpytor tool.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2014BFR337, editor = {F-Secure}, author = {}, title = {OphionLocker: Joining in the Ransomware Race}, date = {12}, month = Dec, year = {2014}, howpublished = {\url{https://www.f-secure.com/weblog/archives/00002777.html}}, }