Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Critroni variant offers free test decryption and now uses CTB2 extension


  • Please log in to reply
6 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:59 PM

Posted 28 August 2014 - 09:44 AM

A new variant of the Critroni, or CTB Locker, ransomware is being distributed that now offers the ability to decrypt 5 files as proof that paying the ransom will get you your files back. This variant also changed the extension of encrypted files from .CTBL to .CTB2. Unfortunately, there is still no known method of decrypting your files without paying the ransom.
 

free-decryption.jpg


As reported by Kafeine, this malware is offered as a paid subscription service on the black market. This allows different individuals or organizations to purchase, customize, and distribute the malware. At this point, it is unknown whether this new variant is from the same group or if it is a new purchaser.

Our guide on this infection has been updated to contain information about this new variant:

CTB Locker and Critroni Ransomware Information Guide and FAQ


Edited by Grinler, 28 August 2014 - 04:28 PM.
Updated to include reference to Kafeine's article on how the malware kit is sold.


BC AdBot (Login to Remove)

 


m

#2 Cauthon

Cauthon

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 11 September 2014 - 09:51 PM

This seems like a really interesting problem. I assume by now  a lot of people have been working on it, but I haven't seen anything about that. Do you have any of the details? For example, do we know whether the files are really scrambled or if it's just the names and references (FAT, or whatever its name is lately)?  And what can we learn from studying the restoration of files after people have paid the ransom?

 

And somebody commented that we can't beat the problem with brute force because the hard drive would wear out before we got results, but IMHO the first thing to do is copy it all onto something else, and put the hard drive away somewhere until it's time to clean it up or throw it away. Would we need to have everything that is on the corrupted hard drive all stored in memory of some kind in one place, or could we work on one or more small parts of the encrypted files and find a way to decrypt all of them?



#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:59 PM

Posted 12 September 2014 - 09:45 AM

Brute forcing is not a mechanical failure issue, but a time one. It is just not practical to try and brute force some of these encryptions as it would take too long even with the fastest computers out there.

#4 carbonbadu

carbonbadu

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 08 October 2014 - 12:38 PM

thousands of my files are infected by that virus and i want them all back... please guys tell me solution of it please

 



#5 CB77

CB77

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 15 October 2014 - 06:58 AM

I got infected too.

 

Definitely the .ctb2 extension that infected my .jpg, .doc, .zip, and .txt files.

No mkv or mp4 video files have been infected, nor the mp3 music files.

 

Sadly, it also infected my external portable hard drive (which is my backup).

 

My computer runs on Win8 and apparently you had to set the system restore points manually (thanks for not informing me of that Windows!) so no restore points that are of use (there are 2 that are from yesterday - when this malware popped up with the ransom screen, and one from 3 days ago when I suspect I got the infection).

Also no restore function (previous version) under the click+right option since apparently this too you have to set manually and doesn't get done automatic in Win8.

 

I've run AVG virusscan, Avast Viruscan and Malware Bytes over it. It found several threats with both virusscans, and a ton of threats with malwareBytes. All have been quarantained.

 

I would really like some help since I lost all my personal pictures of the past 3 years (which were stored both on the computer and the external hard drive - which I had plugged in when the infection happened). I am not a computer wiz so this is definitely a challenge.

 

What more do I need to do? Is this malware off my computer, and ext. hard drive (I ran malwarebytes and virusscan over that drive too)? Is there a way to check that?

Also, what can I do to restore my files? Is there anything?

I tried the delocker with the link found somewhere else on this forum (I lost the direct link) but there it tells me my files aren't infected with Cryptolocker (yeah, right...).

 

And in no way will I pay these bastards who made the malware!

 

Really could use some help!



#6 HurtBadByVirus

HurtBadByVirus

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 15 January 2015 - 06:45 AM

I got slammed, too - I am on the verge of tears.  I stopped the virus before the "All Files Encrypted" ransom message came up.  Does anyone know how to reach these people besides that message?  I am willing to pay the ransom - I have a lifetime of stuff on there that is inaccessible and I must get it back.  Does anyone know about how to reach them?



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:59 PM

Posted 15 January 2015 - 07:12 AM

CTB Locker and Critroni Ransomware Information Guide and FAQ

The CTB Locker Site

The developers of CTB Locker created a TOR web site that victims can use to learn how to pay the ransom to decrypt their files. Links to this site can be found in the %MyDocuments%\AllFilesAreLocked <user_id>.bmp, %MyDocuments%\DecryptAllFiles <user_id>.txt, and %MyDocuments%\<random>.html that are created when you are first infected. At this time the current TOR address is http://zaxseiufetlkwpeu.onion. Once you visit the site you can pay the ransom, which is currently $120 USD by sending Bitcoins to the specified address. This bitcoin address will be unique to your computer and will not be used by others.

Once a payment is made you must wait until there are a certain amount of bitcoin confirmations before your private key and a decrypter will supposedly be made available for download. At this time the infection is too new to know if paying the ransom will actually get you a decryption tool.

Will paying the ransom actually decrypt your files?

At this point the infection is too new to know the answer to this question. As we learn more, we will update this FAQ to contain this information.


As of Jan 12, at least one victim reported paying the ransom and successfully decrypting their data...CTB Locker Support Topic
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users