‘CTB-Locker’ Ransomware Campaign

Over the last several days, Oxford users have reported a growing number of suspicious emails to the OxCERT team; this has coincided with the discovery of a number of personal and University machines afflicted by a new ‘ransomware’ variant known as CTB-Locker aka ‘Critroni‘, a sophisticated variant of the better-known CryptoLocker ransomware family.

It's a bit harder than this in real life

It’s a bit harder than this in real life

What is Ransomware?

Ransomware is a relatively new form of computer crime, whereby a malicious file is sent to infect the target PC, generally (albeit not exclusively) by email containing an attachment or weblink to the attachment. Upon downloading and running the malicious attachment, the ransomware is quietly installed in a similar manner to a computer virus; the distinction is that ransomware does not immediately spread to other computers, but instead begins to silently pursue its dark agenda.

Once entrenched within the target computer the ransomware begins to silently encrypt every non-system file that it can reach; this includes network drives, USB sticks, even Dropbox accounts can be affected in this way. Once the encryption process is complete, files cannot be accessed by the user and cannot be retrieved by IT support staff; the files are now available only to the owners of the ransomware program.

The user will then be extorted via an on-screen prompt to deliver some currency in the form of BitCoins or other anonymised internet coinage to the ransomer; this, it is promised, will allow you to retrieve your files, for the low low cost of 3 BitCoins (BTC), approximately equivalent to 640 Euro.

If you don’t know what it is, don’t open it

CTB-Locker stands for ‘Curve-Tor-Bitcoin‘, in reference to the three core technologies that make up this newer form of ransomware. Briefly;

  • Curve‘ refers to Elliptic Curve Encryption, an extremely strong form of encryption based on number theory and effectively impossible to decrypt this side of a trillion years.
  • Tor‘ refers to The Onion Router network, an anonymised form of communication that renders the call-home process extremely difficult to detect and intercept
  • Bitcoin‘ refers to the virtual currency extorted from victims of the ransomware,  problematic to trace or block by law enforcement

To our knowledge, this is the first variant of ransomware to employ such a wide range of emerging technologies in pursuit of its goal.

The CTB-Locker ransomware currently affects Microsoft Windows operating systems only; if further variants affecting Linux and/or Mac OS X are discovered then further bulletins will be released.

How do I recognise it?

The current CTB-Locker campaign is spread by email; inside the email there may be an attachment, usually a .zip or .cab file, that the recipient must open in order to become infected. The accompanying emails are often blank or nonsensical;

CTB-Locker emails often look like this

CTB-Locker emails often look like this

Together with many global CERT teams and vendors, OxCERT are supplying samples of CTB-Locker to our antivirus partners at Sophos; you may receive a mail that has been caught by the mail filtering system;

Sophos PureMessage has caught this mail

Sophos PureMessage has caught this mail

In this case you are likely safe, but remember the format of the mail so that you may protect yourself in future from new variants that may not be detected. This screen is an example of an infected machine:

If you see this, your data is likely already gone

If you see this, your data is likely already gone

If you see this screen then the files are effectively lost, we have no reliable way of retrieving them at present and victims of the ransomware are strongly discouraged from acceding to the demands of the extortionists; in short, do not give these people any money. Inform OxCERT immediately at oxcert@it.ox.ac.uk. You may wish to try some of the

Good general advice to protect yourself and colleagues from this new campaign is to avoid opening attachments that you do not recognise;

  • Check the file type: is it really an Office document or is it really a .zip, .cab, .exe or another system file?
  • Check the sender: have you ever heard of these people before or is it just an official-looking mail from a random sender?
  • Check the context: do you often receive this type of mail or is it unfamiliar?

If you receive a suspicious mail from a colleague or other Oxford user, it is possible that the user’s account has been compromised; in this case please inform OxCERT immediately at phishing@it.ox.ac.uk

I’m infected, what can I do?

The only substantive defensive against infection and subsequent data loss remains conscientious checking of email attachments before opening, and ensuring that all critical machines are supplied with up-to-date antivirus software from a reputable vendor. Should the worst happen there are some potential steps to recover some lost data, but it must be stated that these measures should be considered a last resort and are in no way guaranteed to produce results.

Restore from Backups

Regular, complete backups are a natural defense against data loss, but take care not to restore files onto a machine that is still infected.

Because ransomware isn't the only risk to your data

Because ransomware isn’t the only risk to your data

A complete rebuild of the affected machine should precede any backup restoration.

Forensic Data Recovery

Variants of CTB-Locker follow a predictable process when encrypting files; before the encryption can take place, the malware creates a copy of the target file. It then encrypts this file, and deletes the original. This has the unintended benefit of leaving a pristine copy of the original on the drive media, provided nothing overwrites the space in the mean time. Forensic data recovery software can, under the proper circumstances, recover a portion of the lost data if the infection is recognised early enough.

An example of commercial data recovery software

An example of commercial data recovery software

It is important to remember that once deleted, Windows believes files are effectively ‘free space’ and may overwrite parts of them.

Volume Shadow Copies

If your system has Microsoft’s VSS enabled, there is a chance that ‘shadow’ copies of the encrypted files remain on the drive. The recovery of VSS data varies by Operating System version, but a rough guide to the process can be found here: http://www.cabrini.edu/itr/help/help/vss.pdf. Users are advised to refer to local IT Support for additional assistance in restoring VSS data if it exists.

An example of a Windows 7 file with a Shadow Copy

An example of a Windows 7 file with a Shadow Copy

Please note that more recently-observed versions of CTB-Locker are attempting to delete VSS copies to counteract this method.

Cloud Storage Recovery

As CTB-Locker will also encrypt files on certain cloud storage providers such as DropBox and SkyDrive, it is worth noting that many cloud providers create deep copies of all data when it is modified. This means there may well be an extant backup of the lost data, you just need to know how to find it. DropBox as a prime example make this process extremely easy. If you find your DropBox files have been encrypted, please follow this excellent guide on the DropBox website to help you to recover previous versions;

DropBox File Recovery Interface

Many cloud storage hosts offer similar functions, please refer to the relevant support sites for further instruction.

Preventive Measures

Besides the standard countermeasures of user awareness and antivirus packages, proactive steps that can be taken where appropriate by proficient individuals. Please note that these measures may well conflict with existing configurations or software dependencies, so should only be taken only in full awareness of the consequences.


A free utility designed specifically to target ransomware, CryptoPrevent uses a variety of local system settings to restrict the ability of known ransomware to execute and encrypt data via Windows Software Restriction Policies. It is by no means foolproof and may conflict with desktop management configurations, but may offer some measure of protection;

Not for the faint of heart

Not for the faint of heart

CryptoPrevent is available here: http://www.foolishit.com/vb6-projects/cryptoprevent/

Further Reading

Posted in Current Threats, Email, Microsoft | Comments Off on ‘CTB-Locker’ Ransomware Campaign

Comments are closed.