There is a new wave of attacks delivering the CTB-Locker or Critroni crypto ransomware, arriving through spam messages with a variety of lures in several different countries.
CTB-Locker is one of the newer variants in the crypto ransomware family, a kind of malware that encrypts victims’ hard drives and demands a relatively large payment in order to get the decryption key. The most famous strain of this kind of malware is CryptoLocker, which has infected tens of thousands of machines and generated millions of dollars of revenue for the gang behind it. Last year, the the FBI and other authorities took down the infrastructure behind the GameOver Zeus malware, which had been used to distribute CryptoLocker, an action that disrupted some of the malware’s effectiveness.
But shortly thereafter, CTB-Locker came onto the scene, and it has a couple of interesting features. The CTB in the name stands for Curve-Tor-Bitcoin, and the malware uses elliptic curve cryptography to lock up users’ files. It also has used the Tor anonymity network for command and control operations and it typically demands the ransom payments in the form of Bitcoin.
“It uses C2 hidden in the Tor network. Previously we haven’t seen cryptomalware having C2 in Tor. Only banking trojans,” Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat, said at the time of the initil analysis. “Executable code for establishing Tor connection is embedded in the malware’s body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware’s body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general.”
The CTB-Locker malware has been distributed through the notorious Angler exploit kit in the past, though the new wave of infections seems to be resulting mainly from malicious spam messages.
“The common infection vector is via an email containing a fake invoice compressed in a “.zip” or “.cab” archive file. The archives contain a binary (Dalexis dropper, usually in an “.scr” file) which, once opened, displays a decoy RTF document, waits for 5 minutes and then drops the actual CTB-Locker payload, which in turn performs the encryption routines,” an analysis from the CERT team at Société Générale says.
Users infected with the CTB-Locker malware have a finite amount of time in order to submit the payment, usually three or four days. The payment is usually two or three Bitcoin, and victims who don’t pay have little in the way of recourse for getting back their encrypted data.