Experts uncovered a massive CTB-Locker ransowmare campaign

Pierluigi Paganini February 04, 2015

Security researchers at the CERT team at Société Générale uncovered a new malware campaign which is spreading the CTB-Locker or Critroni crypto ransomware.

Security experts at the CERT team at Société Générale discovered a new malware campaign delivering the CTB-Locker or Critroni crypto ransomware. In the past, the criminals used the popular Angler exploit kit in order to spread the CTB-Locker malware, this time the threat actor is spreading the ransomware through spam emails across several  countries.

“CTB stands for “Curve-Tor-Bitcoin”, the three pillars of this new threat: elliptic curve cryptography to perform the encryption, Tor and Bitcoin to ensure anonymity for the payment.” states the report published by the CERT team at Société Générale. “The common infection vector is via an email containing a fake invoice compressed in a “.zip” or “.cab” archive file. The archives contain a binary (Dalexis dropper, usually in an “.scr” file) which, once opened, displays a decoy RTF document, waits for 5 minutes and then drops the actual CTB-Locker payload, which in turn performs the encryption routines.”

CTB-Locker is one of the most recent strain of crypto ransomware that encrypts victims’ hard drives and demands at the payment of a fee, typically in Bitcoin, in order to get the decryption key.

The payment requested by the CTB-Locker is usually two or three Bitcoin, and victims have no choice … getting back the encrypted data is quite impossible.

ctb-locker

Unfortunately ransomware are becoming one of the most common malware used in the criminal ecosystem, last year CryptoLocker infected tens of thousands of PCs and generated millions of dollars of revenue before the authorities shut down the GameOver Zeus botnet, which had been used to spread the malicious agent.

The principal characteristics of the CTB-Locker ransomware is the use of elliptic curve cryptography to encrypt the users’ files and the Tor network to hide command and control infrastructure

“The common infection vector is via an email containing a fake invoice compressed in a “.zip” or “.cab” archive file. The archives contain a binary (Dalexis dropper, usually in an “.scr” file) which, once opened, displays a decoy RTF document, waits for 5 minutes and then drops the actual CTB-Locker payload, which in turn performs the encryption routines,” continues the report.

“Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server,” Fedor Sinitsyn, a senior malware analyst at Kaspersky Lab told the Daily last year. “All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there.”

The new variant of CTB-Locker (dubbed Trojan-Ransom.Win32.Onion by the experts at Kaspersky Lab)  include other interesting features according to Sinitsyn. CTB-Locker offers its victims a sort of ‘trial demo’ whereby they can choose five files to decrypt without paying the ransom, it is also available in three new languages to target users in the Netherlands, Germany and Italy. CTB-Locker is also able to evade detection and analysis operated by researchers through virtual environments. Instead of connecting directly to Tor, CTB proxies itself through six additional anonymization services in order to further complicate tracking and takedown efforts. Another peculiarity if the CTB-Locker ransomware is the limited amount of time malware it gives to the victims in order to submit the payment, no more of four days.

“Instead of connecting directly to Tor, CTB proxies itself through six additional anonymization services in order to further complicate tracking and takedown efforts.” states Kaspersky in a blog post.

How to protect our systems?

The only way to restore the system is to have a recent backup, to prevent the infection users need an effective antivirus solution and they have to be sure all their applications and operating systems, are up to date with the latest patch installations.

UPDATE

I have found further interesting data in a blog post published by Heimdal Security:
– Yesterday (03 February), a new huge email spam campaign started to spread CTB Locker again (screenshot of the email is attached)
– When running CTB Locker, it immediately and automatically downloads its harmful main component from multiple domains, through a https:// secure connection.
– Usually, the download has the “[% filename%]. Tar.gz” format
– Here are some of the malicious domains: sho p-oye.it; asp iroflash.fr; die ideenwerkstatt.at; WSB .cba.pl; asp iroflash.fr
– Antivirus detection is, at the time of this update, very low: https://www.virustotal.com/da/file/05ed142b50033e6b3b129433f6a7b98fa24ecf6e834e070db8567c5e881cc533/analysis/1422984539/

Pierluigi Paganini

(Security Affairs – CTB-Locker, ransomware)



you might also like

leave a comment