Last July we came across a crypto-ransomware variant known as Critroni or Curve-Tor-Bitcoin (CTB) Locker. We observed recent improvements to the CTB malware, which now offer a “free decryption” service, extended deadline to decrypt the files, and an option to change the language of the ransom message. These new variants also demand payment of 3 BTC (around $USD 630), while older ones seen in July only charged 0.2 BTC, or $USD 24.
Along with these improvements, we are also seeing a spike in these attacks in several regions, mainly in Europe-Middle East-Africa (EMEA), China, Latin America and in India.
We have previously reported about CTB Locker’s use of Tor to hide its activities but this new variant comes with notable, new differences.
This CTB-Locker variant arrives via spammed emails. These spammed messages were sent in different languages and often pretend to contain important notices so that the recipient is tricked into opening the attachment, which we noticed was archived twice.
Some of the spam samples used in these attack were sent by systems that are part of the long-running CUTWAIL botnet. CUTWAIL is known for reusing available resources (including bots); it should not be a surprise that some of the IP addresses identified as part of this spam run have been part of our spam blacklists for years, with some addresses being blacklisted as early as 2004.
Figure 1. Sample spam emails with malicious .ZIP attachment that contain the downloader malware, TROJ_CRYPCTB.SMD
The attachment is actually a downloader malware, detected as TROJ_CRYPCTB.SMD. This malware connects to several URLs, leading to the download of the CTB-Locker malware onto the computer. This ranswomware is detected as TROJ_CRYPCTB.SME. Checking these URLs, we determined that they are all compromised and based in France. The malware goes through a round-robin type of method to select which URL to download the malware from.
Here’s a diagram explaining the attack, whose infection chain begins with the spammed message accompanies with a malicious .ZIP attachment as show in the sample spam in Figure 1.
Figure 2. Sample CTB-Locker infection chain
The older TROJ_CRYPCTB.A variant seen in July gave users only 72 hours, while this new one allots users 96 hours for payment. The extension of the deadline might be for practical reasons: a longer deadline could mean more victims will be able to pay the fee.
Pressing “next” leads to a page that displays a “Test Decryption” portion, in which the malware entices users with this freebie. The “Test Decryption” portion allows decrypt for five random files, seemingly to convince users that the decryption actually works. There are additional instructions that inform the user not to rename or delete files, and only chosen files will be decrypted. The malware also displays the ransom message in other languages like German, Dutch, and Italian.
Pressing ‘Next’ leads to the payment page, where the malware instructs victims to pay the amount of 3 BTC or $USD 630 in order to proceed with the file decryption; otherwise, all the files will permanently remain encrypted. The message also includes instructions on paying the ransom via Tor browser. Below is a comparison between the older CBT-Locker variant we saw in July 2014 and its latest version.
Figure 3. New CBT-Locker variant demands up to $USD 630 or 3 BTC in order for users to decrypt their files
The message states that victims must pay the ransom by the deadline. Otherwise, all the files will permanently remain encrypted.
Analysis of the variant revealed a feature previously unseen in CTB Locker variants—the chance to decrypt files for free. This freemium model was seen in the malware CoinVault, but this CTB Locker variant upped the ante by allowing the victim to choose five files, rather than just one, to be decrypted.
The free decryption can be seen as a way to convince users to pay the ransom. Decrypting the files show the victim that their other files can actually be recovered—if they pay the fee.
Figure 4. “Free decryption” service
Another unique function or feature found in this variant is that the ransom message gives the user the option to select the language, apart from English. So far, three more languages were spotted:, Italian, German, and Dutch.
Figure 5. Random messages in three more languages. Top left: Italian; Top right: German; Bottom: Dutch
Protection Against Crypto-Ransomware
The first line of defense in staying protected against this new type of ransomware is knowing how to properly discern spammed emails from legitimate ones. Though some emails may look legitimate in nature, it’s always best to check the sender’s address, subject line, and of course email contents for anything that appears suspicious.
Always remain cautious when dealing with unfamiliar files, emails, URLs, and most especially, email attachments. While it might be tempting to take the “free decryption” bait and pay the ransom, there is no guarantee that the cybercriminals will actually decrypt your files and have everything back to normal.
Users should also remember to routinely back up their data. The 3-2-1 principle should be in play: three copies, two different media, one separate location.
Related hashes for the downloader of CRYPCTB ransomware:
Related hashes for CRYPCTB:
With additional analysis by Homer Pacag, Lala Manly, Merianne Polintan, Michael Casayuran, Paul Pajares, Rika Gregorio and Ruby Santos
Updated February 18, 2015, 06:36 PM PST
TROJ_CRYPCTB.SMD has been renamed to TROJ_DALEXIS.SMK.