03/02/2015

CTB Locker: a new massive crypto-ransowmare campaign

A new crypto-ransomware called CTB-Locker has been overloading our mailboxes since last week.


Like its infamous "Cryptolocker" counterpart its goal is to encrypt your files (on your computer and also on all the network shares it is connected to) in order to extort a ransom (3 bitcoins or approximately 620 € at the time of this writing).


CTB stands for "Curve-Tor-Bitcoin", the three pillars of this new threat: elliptic curve cryptography to perform the encryption, Tor and Bitcoin to ensure anonymity for the payment.


The common infection vector is via an email containing a fake invoice compressed in a ".zip" or ".cab" archive file. The archives contain a binary (Dalexis dropper, usually in an ".scr" file) which, once opened, displays a decoy RTF document, waits for 5 minutes and then drops the actual CTB-Locker payload, which in turn performs the encryption routines.


Below are a few malicious email examples:






Once the computer is infected, an explicit message is displayed explaining how to pay the ransom:

At the moment, file recovery is impossible once the system is infected (unless you restore the files from backup). The latest version deactivates the shadow copies on the system.


We have collected a list of URLs from where the payloads are dropped. We recommend you to block them on your proxies. Please note these are not actual .tar.gz files but encrypted binary blobs.

https://agatecom.fr/voeux/doom.tar.gz https://aspiroflash.fr/cai/abc.tar.gz https://baselineproduction.fr/Modules/doom.tar.gz https://bikeceuta.com/templates/hello.tar.gz https://bikeceuta.com/templates/nero.tar.gz https://breteau-photographe.com/tmp/pack.tar.gz https://cargol.cat/IESABP/hello.tar.gz https://cargol.cat/IESABP/nero.tar.gz https://cds-chartreuse.fr/locales/sancho.tar.gz https://collection-opus.fr/_gfx/cario.tar.gz https://compassfx.com/OLD/cario.tar.gz https://dariocasati.it/logs/dostanes_do_drzky.tar.gz https://dequinnzangersborne.nl/language/upupup.tar.gz https://dieideenwerkstatt.at/css/abc.tar.gz https://evalero.com/img/cario.tar.gz https://fbrugues.com/language/hiser.tar.gz https://firststepbahamas.com/PDF/abc.tar.gz https://fotocb.de/php/upupup.tar.gz https://hotel-mas-saint-joseph.com/css/pack.tar.gz https://integritysites.net/files/nero.tar.gz https://jbmsystem.fr/jb/pack.tar.gz https://joefel.com/easyscripts/sancho.tar.gz https://krzysztofkarpinski.pl/log/hiser.tar.gz https://locamat-antilles.com/memo/sancho.tar.gz https://m-a-metare.fr/media/sancho.tar.gz https://maisondessources.com/assets/pack.tar.gz https://masterbranditalia.com/downloader/cario.tar.gz https://microneedle.com/menu_files/pack.tar.gz https://mmadolec.ipower.com/me/cario.tar.gz https://n23.fr/asstempo/doom.tar.gz https://necaps.org/pagestyles/mine.tar.gz https://ohayons.com/dostanes_do_drzky.tar.gz https://ourtrainingacademy.com/LeadingRE/sancho.tar.gz https://peche-sportive-martinique.com/wp-includes/pack.tar.gz https://pinballpassion.fr/images/mine.tar.gz https://pleiade.asso.fr/piwigotest/pack.tar.gz https://ppc.cba.pl/cache/hello.tar.gz https://ppc.cba.pl/cache/nero.tar.gz https://prevencionprl.com/im/hiser.tar.gz https://pubbliemme.com/plugins/doom.tar.gz https://scolapedia.org/histoiredesarts/pack.tar.gz https://shop-oye.it/XXXinstallXXX/abc.tar.gz https://siestahealthtrack.com/media/pack.tar.gz https://smartoptionsinc.com/data-test/hello.tar.gz https://smartoptionsinc.com/data-test/nero.tar.gz https://sp107.home.pl/logs/dostanes_do_drzky.tar.gz https://springtree.cba.pl/modules/cario.tar.gz https://stmarys-andover.org.uk/audio_files/upupup.tar.gz https://telasramacrisna.com.br/ramacrisna/mine.tar.gz https://telasramacrisna.com.br/site/lightbox/hiser.tar.gz https://thinkonthis.net/style/dostanes_do_drzky.tar.gz https://thomasottogalli.com/webtest/sancho.tar.gz https://voigt-its.de/fit/pack.tar.gz https://wcicinc.org/flv/dostanes_do_drzky.tar.gz https://www.cpeconsultores.com/tmp/pack.tar.gz https://www.lamas.si/picture_library/upupup.tar.gz https://www.sazlar.de/sazlar/mine.tar.gz https://wymiana-wsb.cba.pl/pp/abc.tar.gz https://zysztofkarpinski.pl/log/hiser.tar.gz