What is CTB Locker or Critroni

What is CTB Locker or Critroni


CTB Locker (Curve-Tor-Bitcoin Locker)otherwise known as Critroni, is a file-encrypting ransomware infection that was released in the middle of July 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. Just like other file encrypting malware, the media continues to affiliate this infection with CryptoLocker when in fact this appears to have been developed by a different group using new technologies such as elliptical curve cryptography and the malware communicating with the Command and Control server over TOR. As discovered by Kafeine, this malware also appears to be part of a kit being sold online for $3,000 USD, which includes support in getting it up and running. With that said, expect to see other ransomware released using this kit, but possibly with different interfaces. More information on how this malware is being sold can be found in Kafeine’s article “Crypto Ransomware” CTB-Locker (Critroni.A) on the rise.

When you are first infected with CTB Locker it will scan your computer for data files and encrypt them so they are no longer accessible. Any file that is encrypted will have its file extension changed to CTB if it’s the older version and CTB2 if it’s a newer variant.. The infection will then open a ransom screen that states that your data was encrypted and prompts you to follow the instructions on the screen to learn how to purchase and pay the ransom of .2 BTC. This ransom amount is equivalent to approximately $120.00 USD.

When you become infected with the CTB Locker infection, the malware will store itself in the %Temp% folder as a random named executable. It will then create a hidden random named job in Task Schedule that launches the malware executable every time you login. Once infected the CTB Locker will scan your computer’s drives for data files and encrypt them. When the infection is scanning your computer it will scan all drive letters on your computer including mapped drives, removable drives, and mapped network shares. In summary, if there is a drive letter on your computer it will be scanned for data files by CTB Locker.

When CTB Locker detects a supported data file it will encrypt it using elliptical curve cryptography, which is unique to this ransomware infection. When the malware has finished scanning your drives for data files and encrypting them it will display a ransom screen that includes instructions on how to pay the ransom. It will also change your wallpaper to be the%MyDocuments%\AllFilesAreLocked <userid>.bmp file, which contains further instructiosn on how to pay the ransom. Finally it will also create the files %MyDocuments%\DecryptAllFiles <user_id>.txt and%MyDocuments%\<random>.html that also contain instructions on how to access the malware’s site in order to pay the ransom. More information about the ransom site will be discussed later in this guide.

Another uncommon characteristic of this infection is that it will communicate with its Command & Control Server directly via TOR rather than going over the Internet. This technique makes it more difficult, but not impossible, for law enforcement to track down the location of the C2 servers.

Last, but not least, each time you reboot your computer, the malware will copy itself to a new name under the %Temp% folder and then create a new task scheduler job to launch it on login. Therefore, it will not be unusual to find numerous copies of the same executable under different names located in the %Temp% folder.

This entry was posted in Antivirus and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>