Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CTB-Locker Ransomware Support and Help Topic - DecryptAllFiles.txt


  • Please log in to reply
512 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:36 AM

Posted 28 July 2014 - 06:43 PM

A full CTB Locker guide can be found here: CTB Locker and Critroni Ransomware Information Guide and FAQ

 

A new file encrypting ransomware has been released in mid July 2014 with the earliest known samples being detected on July 10th 2014. This infection will encrypt all your files and then rename them to a .CTBL extension. Currently referenced as CTB Locker, Critroni, and Win32.Onion.

The following is current technical details we have on the infection:
  • Encryption based on elliptic curves
  • Infection file is stored in the %Temp% folder as a random file name. For example, utrswsb.exe.
  • A hidden and random named job is created that launches the malware executable when you logon.  You can view the jobs by selecting Show Hidden Tasks.
  • When the infection starts it will show you a screen that tells you how much time is left before you are no longer able to pay the ransom
  • Encrypts all of your data files and saves them as a file with a .ctbl extension.
  • Generates a user id for your infected computer. This user id will be embedded in a variety of filenames listed below.
  • Creates a image file called AllFilesAreLocked     <user_id>.bmp in the My Documents/Documents folder that the infection will use as your wall paper. This contains the ransom alert.
  • Creates a text file called DecryptAllFiles     <user_id>.txt in the My Documents/Documents folder that contains ransom instructions.
  • Creates a html file called <random name>.html in the My Documents/Documents folder that contains ransom instructions.
  • Ransom notes contain a personal key that you must input in a TOR decryption site that will then tell you how to to pay the ransom.
  • Ransoms are paid in bitcoins and the addresses are randomly generated.
  • You have 72 hours to pay the ransom.
  • Current rate of the ransom .2 BTC or about $120 USD.
  • Detected by Kaspersky as Trojan-Ransom.Win32.Onion. Also known as Critroni
  • Communicates with the C2 server via TOR network.
  • On reboot will copy itself to a new name in the %Temp% folder and create a new job to launch it.
Screenshot of the ransom screen is below:
 
 

ransom-screen.jpg

 
 
Stay tuned for more details.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:36 AM

Posted 28 July 2014 - 07:34 PM

Expect to see more of this crap coming out in the future. Kafeine posted about this 10 days ago. This malware is being sold on the black market as a subscription service. More info here:

http://malware.dontneedcoffee.com/2014/07/ctb-locker.html

#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:36 AM

Posted 28 July 2014 - 09:42 PM

Created a dedicated guide on this infection:

CTB Locker and Critroni Ransomware Information Guide and FAQ

#4 1BadBoy

1BadBoy

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 29 July 2014 - 12:56 AM

$120? I'm surprised it's not more.

#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:36 AM

Posted 29 July 2014 - 08:08 AM

$120? I'm surprised it's not more.


Agreed. They probably feel a low price will entice people to just pay.

#6 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 29 July 2014 - 02:20 PM

Another encryption ransomware with many more to come... Good backups are the only way to win the war against all ransomware. Grinler, thanks for the posts, I like staying up to date on ransomware in case I happen to run into it. Do we know how the infection hits? Email or some exploit?


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#7 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:36 AM

Posted 29 July 2014 - 02:26 PM

That is unknown at this point unfortunately.

#8 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:36 AM

Posted 31 July 2014 - 10:16 AM

ok thx

#9 ryunnosuke

ryunnosuke

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 23 August 2014 - 08:11 PM

I have this virus and need help removing it. I already read the guide, but I'm unsure about how to get it all off my computer. Any help?



#10 df123

df123

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 21 September 2014 - 05:16 PM

Hi, 
My computer recently was infected with CTB-Locker and I am unsure on how to remove the virus. I ran Norton Antivirus in an attempt to remove the virus, but the virus appears to be still on my computer. I went to the temp directory to see if I can remove the virus manually, but there are 80,000 files in it. I suspect these are all from the virus as the dates are very recent. One of the files is called "jeceaii" and windows considers it an application, and the rest of the files are temp files and folders. I tried deleting jeceaii and a few of the temp files just to see what it would do. The temp files deleted, but not jeceaii because it is claims it is running another application (even though I have nothing up). At this point I know that the encrypted files are gone, but it would be extremely helpful if someone can help me to remove the virus!

I have a windows 8 computer. If this piece of information helps at all. 

Thanks so much!



#11 krisz90

krisz90

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 02 November 2014 - 11:38 AM

Hi everyone, I am infected with CTB-Locker. I did not pay the ransom, so all of my files remain encrypted. I have been trying to find a solution to get my files back during the last month but I could not resolve the problem. It would be very important to recover or decrypt my files as they are part of my university studies. I do not have backup files either. Can someone tell me how could I get my files back? Or does anyone know if there will be any tools developed to decrypt the files encrypted by CTB-Locker? Thank you in advance!


Edited by krisz90, 02 November 2014 - 01:41 PM.


#12 sasforge

sasforge

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 29 December 2014 - 03:33 PM

Since it now 5 months from the original articles ---- is it know how the CTB Locker is delivered to the unsuspecting computer user???

 

Do I need to ban email for all my clients??



#13 antiteori

antiteori

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 09 January 2015 - 07:23 AM

Is there anyone success to decrypt?

#14 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:36 AM

Posted 09 January 2015 - 11:15 AM

No unfortunately not.

#15 ryan@dcci

ryan@dcci

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 09 January 2015 - 03:26 PM

Do you know of anyone that has paid the ransom and gotten their files back? I haven't been able to find any feedback online. I'm working on a computer that was infected and the owner is willing to pay. I don't want them paying if there's no chance of getting their data back...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users