CTB-Locker

Overview
"CTB-Locker emerged in June 2014 and is one of the first ransomware variants to use Tor for its C2 infrastructure. CTB-Locker uses Tor exclusively for its C2 servers and only connects to the C2 after encrypting victims' files. Additionally, unlike other ransomware variants that utilize the Tor network for some communication, the Tor components are embedded in the CTB-Locker malware, making it more efficient and harder to detect. CTB-Locker is spread through drive-by downloads and spam emails."