A new file encrypting ransomware has been released in mid July 2014 with the earliest known samples being detected on July 10th 2014. This infection will encrypt all your files and then rename them to a .CTBL extension. Currently referenced as CTB Locker, Critroni, and Win32.Onion.
The following is current technical details we have on the infection:
- Encryption based on elliptic curves
- Infection file is stored in the %Temp% folder as a random file name. For example, utrswsb.exe.
- A hidden and random named job is created that launches the malware executable when you logon. You can view the jobs by selecting Show Hidden Tasks.
- When the infection starts it will show you a screen that tells you how much time is left before you are no longer able to pay the ransom
- Encrypts all of your data files and saves them as a file with a .ctbl extension.
- Generates a user id for your infected computer. This user id will be embedded in a variety of filenames listed below.
- Creates a image file called AllFilesAreLocked <user_id>.bmp in the My Documents/Documents folder that the infection will use as your wall paper. This contains the ransom alert.
- Creates a text file called DecryptAllFiles <user_id>.txt in the My Documents/Documents folder that contains ransom instructions.
- Creates a html file called <random name>.html in the My Documents/Documents folder that contains ransom instructions.
- Ransom notes contain a personal key that you must input in a TOR decryption site that will then tell you how to to pay the ransom.
- Ransoms are paid in bitcoins and the addresses are randomly generated.
- You have 72 hours to pay the ransom.
- Current rate of the ransom .2 BTC or about $120 USD.
- Detected by Kaspersky as Trojan-Ransom.Win32.Onion. Also known as Critroni
- Communicates with the C2 server via TOR network.
- On reboot will copy itself to a new name in the %Temp% folder and create a new job to launch it.
Stay tuned for more details.