The malware Win32.Onion is circulating in the National Network

The company Segurmática alerts on the circulation in the National Network of the malware Win32.Onion (aka Trojan-Ransom.Win32.Onion), new version of the international malware known as CBT-Locker. It has already been reported infections in the country.

This Trojan is a “ransomware” that encrypts files in the infected PC and in the shared resources with write permission and asks the affected user for a ransom in order to decrypt the files.

The primary channel of infection is through spam emails with an attachment that is supposed to be a fax or a form with extension .scr. The attachments may be named with random dictionary words and to avoid the filters of messaging servers they use a compressed zip with another .scr file inside.

At the time of the infection the program scans the computer searching for data files and encrypts them with a password, making them inaccessible to the user. Among the encrypted files are those of office, databases, images, digital certificates, compressed files, etc.

The following image shows the screen that warns you that your computer has been infected by the CTB-Locker

Recommendations to avoid infection:

  • Avoid opening files attached to messages received via email without previous notice, from dubious sources or unknown senders.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .com, .exe, .pif and .scr files, among other executable files.
  • Backup should be performed regularly
  • Do not share files with permanent write permission.
  • Antivirus solutions should be up to date

Segurmática Antivirus detects in a generic way the last versions of this malware. However, due to the polymorphic nature and constant evolution of this malware, which allows it to change in each infection, it is recommended to keep strict vigilance over it, be observant of new alerts and reinforce the security measures previously recommended.

In case of an infection with this malware, we recommend to communicate with and consult the company Segurmática.