Skip to main content

New Crypto-Ransomware Uses Next-Gen Encryption

Credit: Carlos Amarillo/Shutterstock

(Image credit: Carlos Amarillo/Shutterstock)

A doozy of a new malware campaign uses powerful next-generation encryption to lock up your personal files, then demands you pay a ransom in Bitcoin to get the decryption key. The campaign spreads via malvertising, or malicious Web ads that can infect your PC when you click on them, or even just let them load onto your Web browser.

The malware used in the campaign is a piece of crypto-ransomware dubbed OphionLocker, which also uses the Tor anonymity protocol to disguise the communications between itself and its command-and-control servers. Here's how OphionLocker works, and how you can avoid infection.

MORE: Malvertising Is Here: How to Protect Yourself

OphionLocker is one of the first known pieces of encrypting ransomware to use nearly unbreakable elliptic-curve cryptography to encrypt the documents, photos, videos and other files on an infected computer. The keys necessary to decrypt the files are what the victim must pay for.

OphionLocker displays this notice once it's completed encryption of infected computers. Credit: F-Secure.

(Image credit: OphionLocker displays this notice once it's completed encryption of infected computers. Credit: F-Secure.)

Once infected, victims see a popup message on their PCs informing them of what has happened and including a URL hosted on Tor2web, an anonymous server reachable via the Tor anonymity protocol. Tor makes it difficult to trace the location of the server or the identity of its operators.

Victims must visit the Tor2web URL and pay a ransom of one bitcoin (about $351.25 USD, according to current exchange rates) to regain access to their files.

According to psuedonymous security blogger Trojan7Sec, OphionLocker infect PCs via malvertising, or the practice of slipping malware-laced ads into legitimate online-ad networks. Trojan7Sec first found this malvertising when it appeared in a "honeypot," or decoy server set up to attract malware.

OphionLocker is packaged with the RIG exploit kit, a bundle of malware loaded with numerous exploits for various known flaws in Web browsers and browser plugins. The kit systematically tries each exploit until it finds one that works, then injects its malware into the visiting computer.

It's important to keep your computer software as up-to-date as possible with the latest patches and security fixes to minimize the chance that an exploit kit will find a working exploit in your browser.

OphionLocker also knows how to avoid "virtual" PCs running in software environments on Web servers, which are commonly used by antivirus researchers to capture and analyze malware. According to Finnish security firm F-Secure, if OphionLockercan detects that it's running in a virtual environment, it will not deploy. 

To protect against OphionLocker and other new malware threats, make sure your PC is running a good antivirus program. You may also want to consider blocking ads or disabling Javascript on your browsers, but be aware that this blocks all ads, both malicious and legitimate, and may financially undermine the websites you often visit.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, onFacebook and on Google+.