By CagedTech in Ransomware

Threat Scorecard

Threat Level: 10 % (Normal)
Infected Computers: 1
First Seen: December 18, 2014
Last Seen: September 6, 2020
OS(es) Affected: Windows

OphionLocker is a threat infection that encrypts the victim's files. PC security analysts recently warned that OphionLocker, discovered in 2014 is notable for its use of advanced elliptic curve cryptography (ECC) to encrypt the computer user's files. OphionLocker is also notable for being one in a recent wave of ransomware infections that use Tor in order to demand payment from their victims. OphionLocker is distributed using the RIG Exploit Kit, to insert OphionLocker into its victim's computers. Computer users visiting a compromised website may encounter threatening scripts that may lead them to an attack domain which, using the RIG exploit kit, tries to install OphionLocker on their PCs. After the files have been encrypted using ECC encryption, OphionLocker displays a pop-up message alerting the victim of the attack. To recover the encrypted files, according to the OphionLocker message, it will be necessary to visit a URL contained in the OphionLocker message in order to buy the decryption key. According to the message, From now on you have 72 hours to pay or the key will be permanently deleted from our server, and you won’t EVER get your files back.'

How the OphionLocker Attack Works?

During the OphionLocker attack, numerous text files with the name ENCRYPTED [name of the file].txt are created on the victim's computer. These files contain a generated ID specific to the victim's computer. When computer users enter this ID into the OphionLocker URL, a message claims that it is necessary to pay a ransom using BitCoin. The OphionLocker ransom is 1 BTC, which amounts to about $350 USD at the current exchange rate. One aspect of OphionLocker that makes OphionLocker particularly more difficult than other malware to shut down is the fact that OphionLocker uses Tor in its attack. The URL involved in the OphionLocker attack uses Tor2web and contains the instructions on how to pay for the decryption. Tor is a service that provides online anonymity. Although it has been used effectively by activists and political dissidents, it has also become a haven for illicit actions such as child pornography and drug trafficking distribution. Unfortunately, threat developers have begun to include Tor as part of their attacks to make it nearly impossible for malware researchers to track the source of the attacks and shut them down.

Additional Issues with OphionLocker

Other ransomware often relies on having a network connection to guarantee the effectiveness of the threat attack. Unfortunately, OphionLocker includes public encryption keys that permit OphionLocker to encrypt files without an Internet connection. This makes OphionLocker much more difficult to stop than other similar threat infections. OphionLocker also can detect if it is being run in a virtual machine. After entering the ID number in a virtual environment, OphionLocker will return the decryption utility. However, this decryption utility will not decrypt the files, despite claiming that they have been decrypted. ECC encryption is notable because it is usually used for maximum security with smaller encryption keys. This means that OphionLocker may be used in devices that need to save battery life or with limited computer power (such as mobile devices). OphionLocker is not the first infection that combines ECC encryption and the Tor infrastructure. PC security analysts uncovered CTB-Locker in August of 2014. Other threats that use similar attacks include SynoLocker and CryptoWall. Unfortunately for computer users, ransomware infections like OphionLocker are growing up in sophistication, using more advanced techniques increasingly to prevent removal and detection and to strip computer users from their money.

Dealing with OphionLocker

Unfortunately, there is currently no way of decrypting affected files. However, the OphionLocker infection itself is not difficult to remove from the infected computer. This makes malware researchers counsel computer users to protect their machines with strong security software and to always keep any crucial documents backed up.


Most Viewed