PDA

View Full Version : CTB Locker or DecryptAllFiles.txt Encrypting Ransomware sets extension to .CTBL



amethist
11-13-2012,
A full CTB Locker guide can be found here: CTB Locker and Critroni Ransomware Information Guide and FAQ



A new file encrypting ransomware has been released in mid July 2014 with the earliest known samples being detected on July 10th 2014. This infection will encrypt all your files and then rename them to a .CTBL extension. Currently referenced as CTB Locker, Critroni, and Win32.Onion.

The following is current technical details we have on the infection:

Encryption based on elliptic curves
Infection file is stored in the %Temp% folder as a random file name. For example, utrswsb.exe.
A hidden and random named job is created that launches the malware executable when you logon. You can view the jobs by selecting Show Hidden Tasks.
When the infection starts it will show you a screen that tells you how much time is left before you are no longer able to pay the ransom
Encrypts all of your data files and saves them as a file with a .ctbl extension.
Generates a user id for your infected computer. This user id will be embedded in a variety of filenames listed below.
Creates a image file called AllFilesAreLocked <user_id>.bmp in the My Documents/Documents folder that the infection will use as your wall paper. This contains the ransom alert.
Creates a text file called DecryptAllFiles <user_id>.txt in the My Documents/Documents folder that contains ransom instructions.
Creates a html file called <random name>.html in the My Documents/Documents folder that contains ransom instructions.
Ransom notes contain a personal key that you must input in a TOR decryption site that will then tell you how to to pay the ransom.
Ransoms are paid in bitcoins and the addresses are randomly generated.
You have 72 hours to pay the ransom.
Current rate of the ransom .2 BTC or about $120 USD.
Detected by Kaspersky as Trojan-Ransom.Win32.Onion. Also known as Critroni
Communicates with the C2 server via TOR network.
On reboot will copy itself to a new name in the %Temp% folder and create a new job to launch it.

Screenshot of the ransom screen is below:

amethist
11-21-2012,
Expect to see more of this crap coming out in the future. Kafeine posted about this 10 days ago. This malware is being sold on the black market as a subscription service. More info here:

amethist
11-29-2012,
Created a dedicated guide on this infection:

CTB Locker and Critroni Ransomware Information Guide and FAQ

amethist
12-07-2012,
Agreed. They probably feel a low price will entice people to just pay.