New Spam Campaign Pushing CTB-Locker Ransomware

The SANS Institute reports a new strain of CTB-Locker ransomware moving this week via spam messages.

A new run of spam messages this week has been spotted dropping CTB-Locker ransomware. CTB-Locker, also known as Critroni, is a fairly new piece of crypto ransomware that encrypts hard drives and demands a ransom paid in Bitcoin to the attackers in exchange for the decryption key.

Two days ago, researchers at the SANS Institute spotted messages sent from a botnet moving the Dalexis dropper which, once it infects a machine, downloads the ransomware.

Crypto-ransomware continues to grow as a worrisome scourge that is turning a profit for criminals. Despite warnings from security professionals against paying ransoms, infected organizations are taking the chance in order to get their files back before they’re irreparably damaged. The most recent publicly known payout was made by the Tewksbury, Mass., police department, which admitted two weeks ago that its systems were infected in December by the Keyholder ransomware and that it paid up after it was unsuccessful at cleaning the infection and recovering the files.

SANS Internet Storm Center handler Brad Duncan, an engineer at Rackspace, posted a list of two dozen sender addresses used in the campaign, most of which he speculates are spoofed. The subject line of each email is similar, warning that a particular account number has been temporarily locked (already yesterday, the subject lines had changed to an account being banned). The email message warns the user that unauthorized login attempts have been detected from several IP addresses, and is signed with a number of international contacts in the signature block. The malicious attachments are .zip files; a number of samples are available in the SANS post, along with their hashes.

Should the user open the infected attachment, a .scr file is extracted from the .zip file that is the Dalexis downloader. The downloader is a .CAB archive which then extracts a .RTF file and opens it on the desktop; soon thereafter, the downloader opens a backdoor connection and grabs the CTB-Locker ransomware and locks files stored on the computer.

Within minutes, a familiar banner warning is shown on the computer screen warning that personal files on the machine have been encrypted by CTB-Locker and that the victim has 96 hours to submit payment and receive the encryption key, otherwise the files will be unrecoverable.

Another screen provides the victim with payment instructions, including how to download the Tor browser and what link to follow in order to remit payment via Bitcoin—and how to buy Bitcoin to do so, if necessary.

Duncan said the malware makes numerous HTTP POST requests to different command and control servers; he said the one sample he recovered made 124 requests before getting a valid response from a server at gaglianico74[.]it. Duncan posted a number of IP addresses and domain names used as valid C&C servers.

CTB-Locker uses elliptic curve crypto to encrypt files on a compromised computer, and is one of the first crypto-ransomware to communicate with command and control over Tor. Other versions of CTB-Locker have been moved via exploit kits, including Angler; most, however, are distributed through spam messages.

Suggested articles