Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


New CTB-Locker Variant/Copycat using Extension .PTYSASJ

  • This topic is locked This topic is locked
1 reply to this topic

#1 lmcruz


  • Members
  • 3 posts
  • Local time:02:11 PM

Posted 18 October 2015 - 01:32 AM


I just noticed that many of my system files were changed earlier this morning. The file extensions are being changed to .ptysasj and I found CTB-Locker bitmap and text file notices on my computer.

The files are named:


Here's a summary of my situation:

Machine: Dell XPS 64bit Windows 7 Home
File extensions changed to: PTYSASJ
Files types left on machine: !Decrypt-All-Files-ptysasj.BMP and !Decrpyt-All-Files-ptysasj.txt

One main difference I have noticed with this attack/variant from Cryptorbit is that the files corrupted were system files and application necessary files. For example, this variant actually went and appended the PTYSASJ extension to several components of my Python 3.1 installation. All my Python Lib files/components now have the .PY.ptysasj extension.

It also seemed to single out all my C++ and C# source and header files.

Cryptorbit changed the extensions of all my JPEG, BMP, DOC, PDF, TXT, XLSX, PPT, XLS files. However, so far this ptysasj has not touched my TXT, JPEG, PDFs

Only some of my .DOCX/.DOC files and many of my system files.

I managed to clean my computer from the previous Cryptorbit infection from 2 years ago. Unfortunately my computer was hit just yesterday.

Attached is a screenshot of the ransom bitmap left.

Is there any fix for corrupted files?

Edited by hamluis, 18 October 2015 - 07:11 AM.
Moved from Am I Infected to Gen Security - Hamluis.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,773 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:11 PM

Posted 20 October 2015 - 05:45 PM

The newest variants of CTB Locker typically appends encrypted data files with a 6-7 length extension consisting of random characters. This extension is believed to be generated as a result of some type of algorithm involved at the time of the initial infection. The newer variants also do not always leave a ransom note if the malware fails to change the background, like it generally does. Compounding matters, the newer CTB-Locker infection has sometimes been seen in combination with KEYHolder, Torrent Locker (fake Cryptolocker) or Cryptowall ransomware. If you were double-encrypted, there will be different named ransom notes throughout your computer.

A repository of all current knowledge regarding this infection is provided by Grinler (aka Lawrence Abrams), in this topic: CTB Locker and Critroni Ransomware Information Guide and FAQ

Unfortunately there is no fix tool and no known method to retrieve the private key that can be used to decrypt your files without paying the ransom. With dual infections, that means paying both ransoms. Brute forcing the decryption key is not a realistic option.

There is also an ongoing discussion in this topic:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users