(originally published 7/28/2014)
The TOR (The Onion Router) anonymity network has been around for a long time, and it’s been used by everyone from corporations to activists living under oppressive regimes, to (reportedly, and likely) drug dealers and al-Qaeda operatives.
The idea behind TOR is to allow users to send traffic from point A to point B across a network that repeatedly encrypted traffic as it moves through the network, from server to server, as it goes. Those servers and endpoints, in turn are managed and provided by volunteers to the TOR network. The U.S. federal government, among others, is keenly interested in accessing the TOR network and identifying its users – for fairly obvious reasons.
And recently, the TOR network has increasingly become a tool for hackers running various forms of malware and botnet networks.
One such example is the relatively new Onion Locker, recently uncovered by Kaspersky labs. The Onion Locker is similar to other malware (ransomware), such as Cryptolocker, in the sense of what it does to victims, and what it seeks. Like Cryptolocker, the Onion Locker is a piece of malware that’s downloaded via a compromised site or app, and installs on a user’s system. Once installed, the malware encrypts the data on that system, and informs the user that they must either pay a ransom or lose the data forever. In theory, the unfortunate user then pays the ransom, and a key is sent to decrypt the data and get it back. In reality, whether the key ever arrives or not is a bit of a toss-up.
Where the Onion Locker differs from others is not so much in what it does, but rather how it protects itself (and, really, its operators) from detection and prosecution. The Onion Locker, like most malware of its kind, uses a command-and-control server (or servers) to manage the interaction with the client malware on victim systems. But the Onion Locker command and control server(s), unlike most such systems, uses The Onion Router network to encrypt and hide the transmissions between the command and control server and the malware client, making it hard for law enforcement to track down the command server, and trace its ownership.
What’s more, the Onion Locker uses Bitcoin as its primary currency, and usually even comes with instructions for the victim, to make it easier for them to send payment to the hackers. This has the effect of obscuring the payment itself, making it likewise difficult to track.
The Onion Locker, like the hack of Amazon Web Services servers and the platform behind the Koler ransomware Trojan, show an increasing level of sophistication in even the most basic types of attacks. What’s more, this level of sophistication asks the question – if something so basic in concept as ransomware is becoming this sophisticated – what do the next generation of truly sophisticated hacks look like?
