Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New CTB-Locker campaign underway increased ransom timer and localization changes


  • Please log in to reply
63 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,713 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:19 PM

Posted 20 January 2015 - 03:12 PM

Within the past few weeks, a new CTB-Locker, aka Critroni, campaign has been underway that uses emails that pretend to be fax notifications. These emails contain zip attachments claiming to be faxes for you or your company. When you open the zip file they will contain files that have the .scr extension and an icon that looks like a fax machine. When you double-click on the attached file, the installer will display a RTF file in Word or Wordpad that pretends to be an order or shipment notification fax. Behind-the-scenes, though, the installer is silently downloading and executing the CTB-Locker ransomware on your computer. It is not until all of your files are encrypted that you will then be shown a ransom notes with instructions on how to get your files back.
 

critroni-attachment-icon.jpg
CTB-Locker/Critroni Attachment Icon


Thanks to @bartblaze, who provided the new samples, we can see that the changes in this new version of CTB-Locker are an increased ransom payment deadline and language localization changes. In previous version the ransom timer was set for 72 hours, but in this version the timer has been increased to 96 hours. The other change is different language localizations for the ransomware program. The original version allowed you to display the ransom note in either Russian or English. The new version of CTB-Locker has removed the Russian language option and added German, Dutch, and Italian. Screenshots of these new localizations can be found below.

As always, for the latest information on CTB-Locker, please see our CTB Locker and Critroni Ransomware Information Guide and FAQ or visit our CTB-Locker support topic.

Language localization screens:
 

ransom-screen-english.jpg
CTB-Locker Ransomware with English Localization


ransom-screen-german.jpg
CTB-Locker Ransomware with German Localization


ransom-screen-dutch.jpg
CTB-Locker Ransomware with Dutch Localization


ransom-screen-italian.jpg
CTB-Locker Ransomware with Italian Localization



BC AdBot (Login to Remove)

 


#2 zingo156

zingo156

  • BC Advisor
  • 3,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:19 PM

Posted 20 January 2015 - 03:19 PM

The delivery method seems similar to the original cryptolocker. I am glad I still have email policies in place that block these file types along with all other runable file types.


Edited by zingo156, 20 January 2015 - 03:22 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#3 M. de Jager

M. de Jager

  • Banned
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 20 January 2015 - 03:23 PM

Will there become a unlocker avaibole for this one? It scares me if I lost all my data.

How is the protection of it, for example with EAM?



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Malware Study Hall Senior
  • 5,518 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Westfalen, Germany
  • Local time:03:19 AM

Posted 20 January 2015 - 04:25 PM

Wonder if these are also distributed via downloader trojans and botnets.

How is the protection of it, for example with EAM?

I believe Emsisoft products' behavior blocker works against crypto ransomware in general.

#5 GT500

GT500

    Authorized Emsisoft Representative


  • Security Colleague
  • 118 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Fortville, Indiana, USA
  • Local time:09:19 PM

Posted 20 January 2015 - 04:27 PM

Thank you for the update Grinler. :wink:

This new CTB-Locker push had me confused in mid-December (I thought it was a new ransomware), until someone finally sent me a copy of the BMP image that their desktop background was changed to.


I believe Emsisoft products' behavior blocker works against crypto ransomware in general.


Yes, anything installed by a trojan should cause a notification from the Behavior Blocker (probably "invisible install" or something similar), and any time something that's not automatically trusted (such as unknown executables) tries to create loadpoints there should be a notification from the Behavior Blocker.

Edited by GT500, 20 January 2015 - 04:30 PM.

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#6 calgary11

calgary11

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:19 PM

Posted 20 January 2015 - 04:43 PM

Do we know where is the .scr file running from ?

Is it from %AppData%, %LocalAppData% ?



#7 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,713 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:19 PM

Posted 20 January 2015 - 04:45 PM

Will there become a unlocker avaibole for this one? It scares me if I lost all my data.


Unfortunately, not at this time. Unless we get access to the keys, nothing can be done.

How is the protection of it, for example with EAM?


Pretty good in fact. EAM and MBAM both detect the main installer. So if you had either installed you would not have been infected.

#8 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,713 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:19 PM

Posted 20 January 2015 - 04:46 PM

Do we know where is the .scr file running from ?
Is it from %AppData%, %LocalAppData% ?


The scr file is included in the ZIP file attachment in the email you receive. If you open it directly from the attachment it may launch from %Temp% or the temporary internet files folder.

#9 calgary11

calgary11

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:19 PM

Posted 20 January 2015 - 05:21 PM

Maybe I am getting a little paranoid but I'm adding this to my GPO Software restrictions. It is probably overkill but it can't hurt.

 

Disallowed
%AppData%\*.scr
%AppData%\*\*.scr
%LocalAppData%\*.scr
%LocalAppData%\*\*.scr
%Temp%\*.zip\*.scr
%Temp%\7z*\*.scr
%Temp%\Rar*\*.scr
%Temp%\wz*\*.scr
%Temp%\*.scr
 

Just trying to stay ahead of the curve



#10 RobertHD

RobertHD

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere in Oz
  • Local time:12:49 PM

Posted 20 January 2015 - 10:24 PM

Nother peece of malware crap


Robert James Crawley Klopp


#11 M. de Jager

M. de Jager

  • Banned
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 21 January 2015 - 06:59 AM

 

Will there become a unlocker avaibole for this one? It scares me if I lost all my data.


Unfortunately, not at this time. Unless we get access to the keys, nothing can be done.

How is the protection of it, for example with EAM?


Pretty good in fact. EAM and MBAM both detect the main installer. So if you had either installed you would not have been infected.

 

Thanks!

 

I've both installed EAM and MBAM so I must be safe? :)



#12 JBekking

JBekking

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Hague, the Netherlands
  • Local time:04:19 AM

Posted 21 January 2015 - 08:59 AM

Since this morning Forefront security (on exchange) also blocks this, Barracuda EMail Security blocks it as well.



#13 circusninja

circusninja

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 21 January 2015 - 12:13 PM

hi all, so i came across a new variant of this cryptolocker with the 92hour timer in english. I have managed to use a few tools to clear the infection but now the https://www.decryptcryptolocker.com/ tool does not work to decrypt the infected files. anyone had some luck with another tool?

 

thanks



#14 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,713 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:19 PM

Posted 21 January 2015 - 12:30 PM

Decryptcryptolocker.com does not work with this ransomware. At this time there is no free decryption method.

#15 Morbid-BM

Morbid-BM

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 22 January 2015 - 05:38 AM

This bleep happened to me the other day. It literally STOLE my life from me. I am an aspiring musician with loads of lyric and song fragments that I've created over the years.

Its all gone. ..

They wanted 1.9 bitcoin. Which is around 415$ USD. As a person with little money, I have no means to pay. But if I did I would pay in an instant to save irreplaceable files. ..

I tried everyday to conjure up the money and to no avail...

I've nothing to add here just a whiny post. I know there's nothing to be done without the private key. But damn, I hope in the future there will be a way to decrypt these precious files for me.

Yes I know I should have backed up my irreplaceable files, thats the last thing I think about when I'm trying to be creative. Sucks for my dumbass self.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users