SECURITY EVANGELIST

An introduction to ransomware

In June 2014, Operation Tovar, run by the U.S. Justice Department in collaboration with the FBI, Europol and some important names in the private sector, like Symantec, Trend Micro and McAfee, took down a large network controlled by hackers in Russia and Ukraine. They were using the Gameover platform to spread and infect systems with CryptoLocker, a dangerous piece of ransomware that encrypts your files and asks a sum of money in exchange for the decryption key.

Know Your Enemy: What is CTB Locker?

Although state authorities and private entities worked together to take down the Gameover and CryptoLocker network in 2014, we believe that everyone expected a comeback.

CTB Locker is such a comeback. It’s one of the latest developments of CryptoLocker, the ransomware trojan that spreads mainly through spam and e-mail attachments.

The name of the ransomware, CTB, comes from its main advantages: Curve-Tor-Bitcoin.

  • Curve comes from its persistent cryptography based on elliptic curves, which encrypts the affected files with a unique RSA key;
  • Tor comes from the malicious server placed in onion-domain (TOR), which is very difficult to take down;
  • Bitcoin refers to the possibility to pay in Bitcoins, avoiding normal payment systems that can lead back to online criminals;

Crime as a Service

First, we need to establish the fact that we are dealing with a type of malware specifically developed to be used by online criminals that don’t have (nor need) a very strong technical background.

For this reason, we find a malware with a well made infrastructure, easy to use and deploy by even less knowledgeable people. This means that for an amount of money, even You can enter this Crime as a Service network quite easily!

Since we are dealing with an advanced and well prepared network of malware, which is able to provide such a stable “service“, we have to point out to the additional benefits one has from joining such a network of e-crime.

The following information has been obtained by our security analysts, after they gained access to multiple malware forums from Russia and Ukraine.

By purchasing this dangerous ransomware, one also gains access to the following included services:

  • How to install the bitcoin payment for the server
  • How to edit the Locker options, such as the requested price and the language displayed
  • You even receive recommendations for the unlock price

 

How does it spread?

CTB Locker is delivered through aggressive spam campaigns. The email message pretends to be related to a FAX message that needs your immediate attention. When the email is accessed, the potential victim is asked to download and access an attached zip file.

If the zip file is accessed, the data on the system is encrypted and the victim asked for a ransom in order to receive the decryption key.

The email content is similar to this:

From: Spoofed / falsified content

Subject:

Fax from RAMP Industries Ltd
Incoming fax, NB-112420319-8448
New incoming fax message from +07829 062999
[Fax server]= +07955-168045
[Fax server]: [Random ID]

Content:

No.: +07434 20 65 74

Date: 2015/01/18 14:56:54 CST

Pages: 5

ID: [Random ID]

File name: [name of attached zip file]

Our malware analysts discovered the following e-mail subjects:

disgruntled.zip
facto.zip
headband.zip
woodworking.zip
firefly.zip

More information on this new generation of ransomware and how to remove it can be found in this article.

UPDATE 04.02.2015: The notorious CTB Locker ransomware is back. A new big email spam campaign is spreading. As you can see in the image, the spam email has an infected zip archive attached.

CTB Locker Spam

UPDATE 06.02.2015: One of our closest partners, Comendo, a cloud security company, found a clear pattern in this spread mechanism. On the 19th of January:

  • – the number of daily blocked botnets was 9.5 times higher than in a regular day, from 2 million to 19 million.
  • – the number of filtered spam emails increased 3.5 times, from 700.000 to 2.5 million.
  • – an interesting fact is also that the spam emails are reaching the Inbox while the user is actively using the PC.

Furthermore, the number of infected email attachments that are spreading CTB Locker is increasing day by day.

Taking into consideration that this data is referring only to Comendo Danish customers, we can only imagine the huge worldwide impact of this nasty malware.

UPDATE 16.04.2015: Our malware specialists detected a new spam campaign that spreads CTB Locker.

The emails arrive with a semi-dynamic content and the malicious attachments contain a dropper that brings CTB Locker on the system.

If the attachment, which is a cab-file, is unpacked, it offers a .scr file. If activated, it will deliver a dropper of the Dalexis class. This connects to a series of hard-coded URLs, from which it downloads CTB Locker.

The following subject lines are used in this new aggressive campaign:

Message from Drallim Industries Ltd
Message from Dynamic Packaging Ltd
Message from George McIvor Ltd
Message from Harrisonfield Ltd
Message from Piller (UK) Ltd
Message Z16T_571EE9433
[Altran Praxis] Fax2mail +07745 091622
[Blake Emergency Services]
6 pages from +07405-894130 Copy from +07717 60 37 48
[Corus Process Engineering] New fax message WQ-64693855D-3988
Eastman Packaging internet
fax=PCL.7038CAAC.8023
Email to fax-AN-FD6B947E4-7826
Email to fax: T34E1995C959788
Fax2mail: +07416 74 19 36
Fax2mail – L9EE0496C4165
Fax2mail=QI-84B353879-6910
Fax from Tactiq Ltd
Fax message from +07754-267-965
Fax message YJF.435371D6B.5958

And the following attachments:

swindens_patents_ltd.cab
tactiq_ltd.cab
telonic_instruments_ltd.cab
tritec_developments_ltd.cab
union_industries.cab
varivane_industries_ltd.cab
william_hughes_ltd.cab

 

How does it work?

We will present below, without entering into too much technical information, the main steps that take place in the infection phase:

  1. As we said above, the infection starts with an e-mail received by the victim and with an attached ZIP file.
  2. When the ZIP file is accessed, a downloader is placed on the system.
  3. The downloader uses a list to connect to a number of domains controlled by hackers, from where it can download the CTB Locker.
  4. One of the compromised domains sends back and installs CTB Locker on the system.
  5. The ransomware encrypts the system data with “Elliptical Curve Encryption”.
  6. A warning is presented on the screen with instructions on how to pay for the decryption key by using the bitcoin system.

CTB-locker

UPDATE 04.02.2015: The malware is deployed trough a binary code, which is executed if you open the email spam archive. Further on, when running CTB Locker, it immediately and automatically downloads its harmful main component from multiple domains. And all it’s done through a https:// secure connection.

Usually, the download has the “[% filename%]. Tar.gz” format.

Antivirus detection is, at the time of this update, very low. As you can see in this Virus Total report, only 5 from 54 security vendors are detecting the malicious payload.

How can I keep my system protected from CTB Locker?

Our malware researchers recommend the following security measures to keep your computer safe from CTB Locker:

  • Don’t download or access e-mail attachments from people you don’t know. This is the main spreading method for CTB Locker.
  • Don’t click links in e-mails you receive from unknown e-mail addresses.
  • Create a Backup for your operating system or for your most important data. Make sure the backup is not placed in the same location with your actual operating system. In case your system is affected by malware or ransomware, you will not be able to access the backup.
  • Make sure you’re security solution detects and blocks CTB Locker. At this moment, Heimdal Security is one of the few software solutions that detect this ransomware.
  • Increase your online protection level by adjusting your web browser security settings.
  • Keep your Windows operating system and your vulnerable software up-to-date with the latest security patches.

UPDATE 13.02.2015: We have found a useful security article on CTB Locker, where you can find an extensive presentation of this dangerous ransomware and what steps are available to you. Among the most important elements from the article, we noticed the importance of having a backup for your system or for your valuable information, the fact that it is quite easy to recover files that are in Dropbox, even if your Dropbox folder has been encrypted, and a CryptoPrevent tool, which is a free software that can prevent CTB Locker from being executed on the system.

 

How does Heimdal Security keep me safe?

First of all, make sure you don’t open e-mails from unknown sources and more than anything, you don’t click any link or access any attachment in the e-mail.

Second, even if the e-mail zip file is accessed and the downloader tries to communicate with the Command & Control servers through TOR, Heimdal blocks the malicious code from being sent to the system. Heimdal manages this blocking operation by blacklisting the hacker controlled domain and preventing CTB Locker from downloading on the system.

UPDATE 04.02.2015:  Luckily, Heimdal PRO blocks those domains which act as download servers. Here are some of the malicious domains:

  • sho p-oye.it
  • asp iroflash.fr
  • die ideenwerkstatt.at
  • WSB .cba.pl
  • asp iroflash.fr

UPDATE 16.04.2015: We have detected and blocked more domains that spread CTB Locker. Here they are:

  • sintjoep .nl
  • scottwall .com
  • stocksandstares .co.uk

Unfortunately, antivirus detection of CTB-locker is still low at this moment: Virus Total (26/57)

UPDATE 30.06.2015: On June 30, Heimdal Security send out a security alert to its users about a new spam run which carries a payload that releases CTB Locker.

The unsolicited e-mail arrives with the following contents:

From: [spoofed / fake return address]

Subject Line: Monthly discounts

Attached:
e-gift.doc

That document contains macros that execute VBA code. The VBA code is designed to download the CTB Locker ransomware from a predefined web page, which has already blocked in the Heimdal Secure DNS.

The malicious download URL looks like the following (sanitized by Heimdal Security)
http://gets-adobe [.] com / fid / ZmlsZToxMTA4NzQzLy8 / acez.exe (MD5: ba372961ca89f1de9521b8f5dd864f0c).

Antivirus detection gives CTB locker 29/56 on this date.

The main component is downloaded as “acez.exe” and drops itself instantly:

C: \ DOCUME ~ 1 \ [% user account%] \ LOCALS ~ 1 \ Temp \ wkqifwe.exe
C: \ WINDOWS \ system32 \ vssadmin.exe
C: \ WINDOWS \ Tasks \ cderkbm.job

The last of a total of three files copied by CTB Locker in the victim’s system creates a job under Microsoft Windows, which initiates encryption of local files and files available via shared tracks / folders. It adds “! Decrypt-All-Files-” for encrypted files containing instructions on how data can be retrieved by paying a ransom via Bitcoins.

The code calls back to the CTB Locker gateway. The communication runs via TOR.

 

Conclusion

The ransomware evolution from last years created a lot of concern in the online world and CTB Locker, together with other similar types of ransomware, are more troublesome than any other types of malicious software in the wild.

This concern is connected not only to the financial demands that are implied in the entire process, but mostly to the fact that the encrypted information may be lost forever.

No one can say for sure in such a case what someone should do: pay or not pay?

And the most important question of all, even if you pay, are they really going to give you access back to your most valuable information?

In the end, we recommend all users not to take any chance against highly trained individuals in e-crime and keep the data safe by using a security tool specially crafted for this purpose, like Heimdal Security.

So, does it pay to take a chance without protection?

This post was originally published by Aurelian Neagu in January 2015.

What is Ransomware
2017.05.15 SLOW READ

What is Ransomware and 15 Easy Steps To Keep Your System Protected [Updated]

Ransomware-Decryption-Tools
2016.10.05 QUICK READ

Ransomware Decryption Tools – Unlock Your Data for Free

Free PC Security Hacks
2015.04.15 SLOW READ

13 Free PC Security Hacks to Build Your Online Protection

Comments

Hi ,
I have three keys :
UQ36DB-VBEGZE-PSIG2C-XGQFPB-IUV7DA-YRLJYU-5R6ALY-2KRGTD
IZUJGX-TBPL22-YZHXKJ-WLCEIQ-GKE72X-HBPVBP-G4KRTI-UGFTNC
JQYOLH-RZXJJQ-FMZ4NG-EEUDYK-ADFMW3-LDO5PG-BBQYCR-OKKJWB

please help me so that I can get my files.

Is your system infected with orx locker and you are inaccessible to access any files or documents? Don’t worry there is a best tool available to remove this ransomware from the System. If you really want to get rid of orx locker then use Automatic Removal Tool. For getting information regarding this tool or method go through with this link – http://www.howtouninstallamalware.com/how-to-uninstall-orx-locker-malwarevirus-and-adware-windows-xp7810

how to recover my files and document…..my all data encrypted from ctb locker ..plz tel too needful

hi to all how to recover my doc file is hacked by ctb its like docx.jquvjoe if have any solution please reply me how to recover…

Pls help……. All my files got corrupted. Its is showing in .eycdkjm extension. I tired to upload in decryptcryptolocker.com but its showing not infrected file

Follow the steps in this guide, it should do the job: https://virushelpcenter.com/remove-ctb-locker-virus/

me too 😀

Sorry, Cherri, I do not think it likely you will get your files back. The encryption is done using a key on the Internet that would be required to unlock it. Without that key, decrypting would be an extremely difficult and resource intensive process. The NSA or another government agency might be able to do it but not for something as paltry as personal data. You could get lucky with decryption breakers, but the whole point of encryption is to STOP unauthorized users from accessing data. In this case, encryption is being used for evil.
The secondary threat is all the bogus information available on the Internet. There are reams of people willing to take your money to “try to help you”. Unless you know the company offering the service to be reliable (Trend Micro, McAffee etc) I wouldn’t trust them. I confess I hadn’t encountered Heimdal Security before, (not big in USA) but I am impressed with how they actually weed out the crapware ads from their blogs.
Many of the bogus companies rely on extensive trolling of any discussion forum where their victims may look for help, and they post fake endorsements for products that don’t work, or misrepresent the services they can provide. Nice to see Heimdal keeping their forums clean.

Hey I know the CTB-Locker virus is extremely prevelant this time of year, However; I was able to remove it from my computer using the steps listed in this 3-step guide

https://virushelpcenter.com/remove-ctb-locker-virus/

Please let me know if anyone else if successful in removing this virus. The instructions are a little lengthy but it did the trick for me.

Hope this helps atleast a few people

Nice try

Yes; very nice try. Trying to help as many people as I can! Thanks for your input “thehacktimes”

rubbish .. i’ve seen this same post on just about every site dealing with this. Your “guide” is just spam to sell spyhunter…

Rubbish? How is it rubbish of me for spreading news about the virus going around, along with a helpful guide on removing the virus? Get a job.

Will that work?

Yes, the guide on virushelpcenter.com does work.

no it doesn’t.. ALL the guides there send you to a link to purchase their software, scam site for selling dubious software….

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
172 queries in 1.035 seconds