In recent times ransomware has become much more aggressive, the first ones that began to appear after the boom in fake antivirus programs only simulated blocking the computer to ask for a ransom, so in one way or another it was possible to eliminate them like the virus. of the police that did not allow to enter in safe way.
Although ransomware that encrypts files have always existed, in recent times they have become the protagonists in specialized security sites.
One of the latter is called OphionLocker, the name has been put on the Trojan7Malware blog, which was the first place where it was analyzed and comes with several new features. One of them is that it uses elliptic curve cryptography to encrypt files, something that is not common in this kind of malware. But beyond the technical, the serious thing as it has been happening lately is that once they encrypt the files they can only be recovered with a private key that the attackers send to the victims when they pay a sum of money.
This can be disastrous for a company or a user, because from one moment to the next they are left without all their documents (images, Office documents, etc.) and if there is no backup, there is no other option than to pay to recover them.
This new copy also uses Bitcoin as a means of payment, the famous virtual currency that is slowly gaining ground on the network.
On the F-Secure blog they have posted a screenshot of the message that appears once the computer is infected:
There it is mentioned that the documents have been encrypted and that the key that allows them to be recovered will only be available for 72 hours. The message is accompanied by a URL where the payment must be confirmed, this page is hosted on the Tor network to remain anonymous and avoid being unsubscribed:
The payment to be made is 1 btc (Bitcoin) which at the current price is more than 300 dollars, this is a problem not only because it is a fairly large sum of money, but because most of the victims have no idea on how to get a Bitcoin.
Bitcoin has become a currency of current use in the criminal world that has come to replace various payment gateways and subscription services that cybercriminals used. The advantage for them is that the transactions that are made are anonymous in the sense that there are no names, no addresses or any data behind them. There is no way to track who receives that Bitcoin.
Another novelty of this ransomware is that it does not request payment when it is run in a virtual environment, such as those commonly used by investigators or the police. It is a fairly common protection mechanism against forensic analysis, in fact there are malware that only run once and then self-delete to leave no traces or only work when the computers are powerful so as not to generate the classic symptom of slow computer by be full of viruses. Others even go so far as to eliminate other Trojans from the competition to be the sole owners of the infected computer.
In this case the behavior is curious because in addition to not requesting payment, they deliver the link to the program that will include the private key to retrieve the files. But actually the program doesn't work so maybe they just do it to play around a bit.
This type of malware can end up on our computer in various ways, for example, it can be hidden in a hacked game or program, spread with social engineering by mail, social networks or infected sites and even get to install itself automatically taking advantage of some vulnerability of our system. To be protected, it is not enough to have an updated antivirus, the good practices that I have discussed so many times and common sense are necessary.
Backup in these cases can be salvage, a normal user may not have to do them every day, but in an office environment it is necessary to have a backup policy to be prepared. It costs nothing to make one at the end of the day either manually or automatically.