Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CTB-Locker Ransomware Support and Help Topic - DecryptAllFiles.txt


  • Please log in to reply
512 replies to this topic

#31 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:09:58 PM

Posted 19 January 2015 - 01:22 AM

FYI -- Before anyone asks, the registry appears to be clean.  Not noticing anything suspicious within the registry... unfortunately, the remediation attempts performed by the user most likely removed the associated registry entries.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


BC AdBot (Login to Remove)

 


m

#32 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 PM

Posted 19 January 2015 - 07:42 AM

I've noticed a CTB Locker infection with these same characteristics; odd file name extensions being added [after encryption].  I've extracted a BAT file that renames the files, as well as a bunch of other stuff as I analyze an infected device.  I've posted a thread in this forum with information discovered during my analysis, hope it helps you and that others can chime in and help as well.
 
I've posted an image in my thread of the ransom note dropped, would help if you could view the note in the .BMP image found in the "Documents" folder and let me know if the text within the image is the same, and if the naming convention used for the file (<filename> <userID>.bmp) matches up with the infection you've discovered.

I merged that topic with this one here to keep the information centralized in one discussion thread. This makes it more manageable for staff and for members searching for information.

Yes...the newest variants of CTB Locker typically encrypt all data files and rename them as a file with a 6-7 length extension with random characters. The newer variants also do not always leave a ransom note if the malware fails to change the background, like it generally does.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#33 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:09:58 PM

Posted 19 January 2015 - 07:41 PM

Pretty sure I've extracted the executable that launches the new variant of CTB-Locker...  unless this user had an additional type of ransomware on their device.  Initial static & dynamic analysis efforts make it clear that it is ransomware...

  • Creates a number of files, [attempts] to cover its tracks by deleting them afterward
  • Creates / modifies files in the Windows system folder
  • Uses SSL
  • Modifies Registry (for persistence [auto-start])
  • Modifies
  • Injects code into other processes
  • Accesses new files planted on the HD prior to execution

Lots of DNS queries, here are some domains (not including unique subdomains):

  • telize.com
  • tor2web.org
  • onion.cab

Makes a GET request to ip.telize.com

 

Observed Connections:

  • 188.138.122.22:443 (Country: DE)
  • 46.19.37.108:80 (Country: NL)
  • 194.150.168.70:443 (Country: DE)

Creates additional executables with payload, as expected, Win XP sandbox reveals it creates one of them (with no extension) in C:\Documents and Settings\All Users\Application Data\Microsoft.  On this XP sandbox, it also created the following file: C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015010420150105\index.dat.

 

Also (note: so I can stop re-mentioning it, this is based on sandbox analysis run on a Win XP machine), it creates a job file in the C:\WINDOWS\Tasks folder.  It later deletes this file, along with the other files it drops.

 

Also performs a ton of registry activity, too much to sift through right now.  Sets NULL values for a lot of keys within \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\{id}\Blob.

 

It will then delete all shadow volume copies from the machine, or at least it attempts to.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#34 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:09:58 PM

Posted 19 January 2015 - 11:51 PM

I have submitted the sample that I have exported.  I have a lot more information documented about it after reviewing it for a bit, still haven't bothered to disassemble it as I doubt it's much different than previous versions.

 

Let me know if the sample I submitted helps!


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#35 john1marY

john1marY

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 20 January 2015 - 01:07 AM

Hi - I have the dubious pleasure of reporting a full-blown encyryption of all my data - yesterday evening. CTB-Blocker.

Sent to me via email in a ZIP-file - which I was stupid enough to open :-(

 

The below message was contained in the email. Any ideas on what to do? Does it help to pay up??

 

-----Original Message-----
From: Rufina Gremer [mailto:dubiously@sfport.com]
Sent: Montag, 19. Januar 2015 17:08
To: eberhard-knapp@usa.net
Subject: Fax2mail-+07814 709 976

 

Number: +07814 709 976

Date: 2015.01.18 15:07:41 CST

Pages: 2

ID: Q73O1F34B3146

Filename: inveigle.zip

 

--

Robert Mackie & Co Knitwear Ltd

Rufina Gremer



#36 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:09:58 PM

Posted 20 January 2015 - 01:12 AM

Hi - I have the dubious pleasure of reporting a full-blown encyryption of all my data - yesterday evening. CTB-Blocker.

Sent to me via email in a ZIP-file - which I was stupid enough to open :-(

 

The below message was contained in the email. Any ideas on what to do? Does it help to pay up??

 

-----Original Message-----
From: Rufina Gremer [mailto:dubiously@sfport.com]
Sent: Montag, 19. Januar 2015 17:08
To: eberhard-knapp@usa.net
Subject: Fax2mail-+07814 709 976

 

Number: +07814 709 976

Date: 2015.01.18 15:07:41 CST

Pages: 2

ID: Q73O1F34B3146

Filename: inveigle.zip

 

--

Robert Mackie & Co Knitwear Ltd

Rufina Gremer

 

So upon accessing the ZIP you were infected, or within the ZIP you opened a PDF that ended up being a masked executable that delivered the payload?

 

I would wait it out a bit and wait for some more feedback; although this may result in an increase in the ransom price (unsure, as I do not plan to pay a ransom, just to analyze the ransomware).  It's never recommended to pay these criminals, as their MO for the creation and delivery of ransomware is--of course--financial gain.  Paying the ransom just funds their criminal activities, but some companies (or persons) simply have no choice...

 

Information surrounding this seemingly new variant is very limited; there's no guarantee that the decryption service will work in any case, and with a new(er) variant, it's always best to wait and be safe rather than sorry.  It would suck to shell out hundreds of dollars for a solution that does not work (if any is delivered at all).


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#37 dvirs

dvirs

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 20 January 2015 - 02:15 AM

We've got similar mail with nested zip called commensalism.zip and inside the nested zip sits a file commensalism.scr.. And that's how they rolled our computer...

It tried to encrypt also PST files but luckily - they were opened by outlook so it couldn't harm them.

We're using TrendMicro on our organization and yesterday it didnt found a thing when i've conncected the infected HDD offline, but today it the exe that the scr creates was detected, but still the scr itself not being detected...

I've tried to decrypt some files with Panda Ransomware Decrypt but no success..

 

 

That's the scanning of the scr that inside the nested zip file:

https://www.virustotal.com/he/file/8efc4bfa71dd75891cf32665272b24d554feecdd2b1114039192d22b80f27cea/analysis/1421689530/

 

That's a scanning of the exe that comes out to %temp% folder after the scr is being executed:

https://www.virustotal.com/he/file/f557acbedc4ceadeb86b2612d1e738e02437d8efb46a7fcdd67a67b9476a805c/analysis/1421685184/


Edited by dvirs, 20 January 2015 - 02:35 AM.


#38 JBekking

JBekking

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Hague, the Netherlands
  • Local time:03:58 AM

Posted 20 January 2015 - 04:13 AM

Also got hit by this one, 1 user got an email in her hotmail box and opened the attached zip file. On my way to her now to get my hands on the email and attachment.

 

Update:

Yesterday the user was able to open the attachment of the mail, at this moment outlook.com prevent use/downloading of the attachment and displays a warning that the file is infected.

 

I was able to save the email (including attachment) by saving the source, with a base64 decoder I was able to extract the zip file. Now creating a standalone test environment to analyse if the file wasn't corrupted / damaged by the base64 decode. If the zip is intact I will submit it at BC. After that I'll infect a machine to analyse the piece of cr<beep>p. Results I'll post here as well.


Edited by JBekking, 20 January 2015 - 06:45 AM.


#39 thinkabout

thinkabout

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 20 January 2015 - 12:33 PM

Same problem here, all fies with extension .YZKJCXB



#40 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 PM

Posted 20 January 2015 - 01:22 PM

Latest campaign appears to be a zip attachment that contains a .scr file. These scr files pretend to be faxes and have an icon that looks like this:

critroni-attachment-icon.jpg

Once the .scr file is opened, it will either extract or download a rtf of the same name and store it in the %temp% folder. It will then open this RTF and then continue to silently encrypt your data in the background.

As explained in the CTB-Locker/Critroni guide, recent variants of CTB-Locker have been using random file name extensions.

#41 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 PM

Posted 20 January 2015 - 01:30 PM

Out of curiousity, has anyone found that they have become double-infected with both CryptoWall and then CTB-Locker? We have been getting reports of double-ransomware infections and trying to track down installer.

#42 thinkabout

thinkabout

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 20 January 2015 - 02:00 PM

Here only CTB but i unplug my pc from network a little after.



#43 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 PM

Posted 20 January 2015 - 02:18 PM

Out of curiousity, has anyone found that they have become double-infected with both CryptoWall and then CTB-Locker? We have been getting reports of double-ransomware infections and trying to track down installer.

In case you missed it with the volume of postings.....neno_gsxr1000 reported double infection in Post #22
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#44 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 PM

Posted 20 January 2015 - 02:29 PM

Thanks..yes he was one of the ones I spoke to.

#45 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:09:58 PM

Posted 20 January 2015 - 02:51 PM

Out of curiousity, has anyone found that they have become double-infected with both CryptoWall and then CTB-Locker? We have been getting reports of double-ransomware infections and trying to track down installer.

 

I actually found a device infected with KEYHolder that had CryptoLocker installers still on it (in one of the generic UpdateFlashPlayer_<string>.exe files).

 

I submitted a sample last night; I'm not sure what it is but it does make a ton of connections to tor2web, onion.cab, etc, and it was found on the device I'm analyzing that's infected with the new CTB-Locker.

 

Also more malware on here, some if it is actually pretty nasty, and one of it hasn't previously been uploaded to VirusTotal...


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users