We recently talked about recent improvements to the CTB-Locker ransomware. To recap, the malware now offers a “free decryption” service, extended deadline to decrypt the files, and an option to change the language of the ransom message.
We are seeing another wave of CTB-Locker ransomware making their way into the wild. What’s highly notable about this current batch of crypto-ransomware is that they are using “big names” like Facebook and Google Chrome as social engineering lures.
The New Lures
We observed that the CTB-Locker ransomware arrives through spammed emails pretending to be from Google Chrome and Facebook.
The fake Google Chrome email pretends to be a notification about updating the recipient’s Chrome browser. Upon clicking the link, the user will be directed to a site hosting the malware. The malware uses a Google Chrome icon to disguise itself as a legitimate installer package. This is actually a variant detected as TROJ_CRYPCTB.YUX.
Figure 1. Fake Google Chrome email
Another lure used by cybercriminals is Facebook. The email arrives as an account suspension notificaiton. The email instructs the user to click on an embedded link. This link will lead to the download of the malware.
Figure 2. Fake Facebook email
The malware uses a .PDF icon to disguise itself as a legitimate file. This malware is detected as TROJ_CRYPCTB.NSA.
Our findings show that both variants are hosted in compromised sites. And interestingly enough, each variant is hosted on a group of compromised sites that is linked to one IP address.
Connections to Phishing
Digging deeper into these compromised sites, we discovered that some of these URLs are associated with phishing spam, specifically those using PayPal as their lure.
Figure 3. Fake PayPal email
The spammed email arrives with the subject, “Take Action PayPal.” The email instructs the recipient to log in to their PayPal account to settle an issue by clicking a link in the email.
Upon clicking, the link redirects to a phishing site. The site asks not only for the user’s login credentials, but other important, sensitive information like contact details and credit card information.
Figure 4. Fake PayPal site
Figure 5. Information requested by the phishing site
Once the user completes all the information, the site then redirects the person to the legitimate PayPal login page. To avoid suspicion, it uses the excuse of needing to log in again for the changes to fully reflect in the PayPal account.
Using the same URLs as those of the CTB-Locker malware suggests that the threat actors distributing the ransomware are also dabbling in phishing.
Updates on CTB-Locker
In our previous entry, CTB-Locker Ransomware Includes Freemium Feature, Extends Deadline, we noted that the CTB-Locker variants included language support for four languages: English, German, Italian, and Dutch. This new batch of ransomware now supports seven languages, namely, French, Spanish, Latvian, German, Dutch, Italian, and English.
Figure 6. Ransom message
The malware also now arrives in a Windows installer package. The two new variants identified were wrapped in an installer using using NSIS. Cybercriminals leverage NSIS, which is an open source installer like InstallShield, to make analysis difficult. When executed, the malware drops an encrypted version of the CRYPCTB malware and a library (.DLL) file. The library file will decrypt and execute the ransomware. After the routine, the library file will delete itself.
In a surprising move, the cybercriminals adjusted the ransom payment for the decryption of files to 2 BTC, a fee lower than the 3 BTC ransom fee of previous variants.
The malware also uses new set of Tor Addresses to communicate with the affected system.
Trend Micro™ Smart Protection Network™ Data
We’ve noted here that the added languages are all for countries based in Europe. This suggests that these variants may be targeting the EMEA region.
Additionally, this theory is supported by data from the Smart Protection Network gathered January 21 – February 6, 2015. Four countries in the top ten affected countries come from that the EMEA region.
Figure 7. Top countries affected by CRYPCTB malware family
From what we’ve seen, the threat actors focused more on improving their chances of spreading the malware than improving the design of the code itself. Once the malware is in the system, it can be very challenging to recover the files without getting their help.
As we have mentioned in previous entries, it might be tempting to give in and pay the ransom fee to get back encrypted files. However, there is no guarantee that the cybercriminals will actually honor the exchange. At the very worst, the victim is left with no files and no money.
Most of these types of malware use spam as their gateway to infection, which is why users need to be cautious when dealing with suspicious-looking emails. We advise users to scrutinize each email, even those that come from seemingly legitimate senders. For this incident, the cybercriminals used the following email addresses to appear legitimate:
These email addresses might appear legitimate at first glance. But looking closer, we see a typo for the supposed Google email address. Facebook actually uses the domain fb.com but only as its corporate email domain. In short, Facebook will never use it to communicate with Facebook users. Meanwhile, PayPal uses the domain paypal.com, not paypal.co.uk.
Users should also remember to routinely back up their data. The 3-2-1 principle should be in play: three copies, two different media, one separate location.
With additional insight from Jon Oliver and Mary Ermitano-Aquino