A breed of ransomware that targets websites has taken the novel approach of using the blockchain distributed transaction ledger used by Bitcoin to deliver decryption keys to victim systems.
Security vendor Sucuri analysed a new strain of CTB-Locker, a ransomware that first appeared in January this year, and discovered that the March version had changed how it attempts to extort money out of users.
One of the changes included a decryption test for two files, costing 0.0001 Bitcoin (5.5 Australian cents). The decryption test is to be done before paying the full ransom, lowered to 0.15 BTC from 0.4 BTC (A$83 and A$222 respectively) in the March variant of CTB-Locker.
The amended two-step Bitcoin payments system was set up by the attackers so as to cover the transaction fee of 0.0001 BTC payable to deliver decryption keys via blockchains, Sucuri said.
Sucuri researcher Denis Sinegubko said the new version of CTB-Locker makes use of the OP_RETURN field in the Bitcoin protocol to transmit decryption keys to users' systems, via an application programming interface from the Block Explorer website.
CTB-Locker switched to blockchains from using around a hundred decryption scripts left on hacked sites originally. As these scripts could be removed at any time, this method was not reliable, Sinegubko said.
Sinegubko noted that elegant automation of decryption keys notwithstanding, CTB-Locker had failed to scare webmasters into paying the ransom, as hosting services offer backup facilities that can be used to easily restore sites.