Onion Ransomware Splash Screen
The message which victims of the Onion ransomware see once all the files on their computer have been infected. Kaspersky Lab

Ransomware has become one of the most pernicious and prevalent types of malware over the last couple of years, evolving from simple screen blockers to the advanced pieces of software we see today, leveraging the power of the Tor network and elliptic curve cryptography to evade detection.

The most recent evolution of ransomware was discovered by the security experts at Kaspersky Labs, and the malware - identified as Onion - uses several unique techniques to evade detection.

Ransomware is a piece of malware which locks down your computer's hard drive, encrypts all the files on it, and asks you to pay a ransom to release the files or lose them forever. In some cases the user is presented with a fake warning claiming to be from a local law enforcement agency saying it has discovered images of child pornography on your computer.

Discovered at the end of June, Onion locks down victims' Windows computers and ordering them to pay a ransom in bitcoin within a set period of time or say goodbye to all pictures, video, documents and databases.

The most well-known ransomware is Cyptolocker which rose to prominence in the last 12 months, and has elicited millions in ransoms from its victims.

The most interesting feature of this new malware is that it uses the anonymity provided by the Tor (which stands for The Onion Router) network to mask the location of the criminals behind the scheme.

Infected systems send the encrypted data back to a single, static server which has a .onion domain address meaning it resides in the Tor network.

Hide its malicious nature

While other types of malware have already used the Tor network to anonymise their tracks - such as the Chewbacca malware discovered in January - this is the first time it has been seen used with ransomware.

According to Kaspersky this feature will make it easier "to hide its malicious nature, and to make it hard to track those behind this ongoing malware campaign".

Kaspersky says that by looking at the certain strings within the body of the malware - along with the recent release of a Russian language GUI - this gives them "ground to assume that its creators are Russian speakers".

The first version of the Onion ransomware was targeting English-language users, with the splash screen which is set as the computer's default desktop wallpaper written in English.

The malware demands payment of 0.159999 bitcoins which at the current value equates to around £55, giving you 72 to pay up or risk losing your data forever.

Andromeda and elliptic curve

As well as its unique Tor-based server set-up, the Onion ransomware has a number of other unique features.

Rather than being spread using the typical phishing email method, it is spread using another piece of malware known as the Andromeda bot.

Once installed on the victims' system, the Andromeda bot receives a command to download and launch Joleee, which is a worm used to distribute spam but in this case has been reconfigured to download and launch Onion.

The final evolutionary feature of Onion is how it encrypts the data on your computer. The malware uses Elliptic Curve Diffie-Hellman (ECDH) cryptography rather than the AES+RSA combination typically used in cryptomalware.

The use of ECDH cryptography is a worrying development for this who are infected as it would not allow your data to be rescued, even if the communication between the malware and its C&C server is intercepted.