New CTB-Locker campaign underway increased ransom timer and localization changes

Within the past few weeks, a new CTB-Locker, aka Critroni, campaign has been underway that uses emails that pretend to be fax notifications. These emails contain zip attachments claiming to be faxes for you or your company. When you open the zip file they will contain files that have the .scr extension and an icon that looks like a fax machine. When you double-click on the attached file, the installer will display a RTF file in Word or Wordpad that pretends to be an order or shipment notification fax. Behind-the-scenes, though, the installer is silently downloading and executing the CTB-Locker ransomware on your computer. It is not until all of your files are encrypted that you will then be shown a ransom notes with instructions on how to get your files back.
 

CTB-Locker/Critroni Attachment Icon

Thanks to @bartblaze, who provided the new samples, we can see that the changes in this new version of CTB-Locker are an increased ransom payment deadline and language localization changes. In previous version the ransom timer was set for 72 hours, but in this version the timer has been increased to 96 hours. The other change is different language localizations for the ransomware program. The original version allowed you to display the ransom note in either Russian or English. The new version of CTB-Locker has removed the Russian language option and added German, Dutch, and Italian. Screenshots of these new localizations can be found below.

As always, for the latest information on CTB-Locker, please see our CTB Locker and Critroni Ransomware Information Guide and FAQ or visit our CTB-Locker support topic.

Language localization screens:
 

CTB-Locker Ransomware with English Localization

CTB-Locker Ransomware with German Localization

CTB-Locker Ransomware with Dutch Localization

CTB-Locker Ransomware with Italian Localization

The delivery method seems similar to the original cryptolocker. I am glad I still have email policies in place that block these file types along with all other runable file types.

Edited by zingo156, 20 January 2015 - 03:22 PM.

Will there become a unlocker avaibole for this one? It scares me if I lost all my data.

How is the protection of it, for example with EAM?

Wonder if these are also distributed via downloader trojans and botnets.

How is the protection of it, for example with EAM?

I believe Emsisoft products' behavior blocker works against crypto ransomware in general.

Thank you for the update Grinler.

This new CTB-Locker push had me confused in mid-December (I thought it was a new ransomware), until someone finally sent me a copy of the BMP image that their desktop background was changed to.

I believe Emsisoft products' behavior blocker works against crypto ransomware in general.

Yes, anything installed by a trojan should cause a notification from the Behavior Blocker (probably "invisible install" or something similar), and any time something that's not automatically trusted (such as unknown executables) tries to create loadpoints there should be a notification from the Behavior Blocker.

Edited by GT500, 20 January 2015 - 04:30 PM.

Do we know where is the .scr file running from ?

Is it from %AppData%, %LocalAppData% ?

Will there become a unlocker avaibole for this one? It scares me if I lost all my data.

Unfortunately, not at this time. Unless we get access to the keys, nothing can be done.

How is the protection of it, for example with EAM?

Pretty good in fact. EAM and MBAM both detect the main installer. So if you had either installed you would not have been infected.

Do we know where is the .scr file running from ?
Is it from %AppData%, %LocalAppData% ?

The scr file is included in the ZIP file attachment in the email you receive. If you open it directly from the attachment it may launch from %Temp% or the temporary internet files folder.

Maybe I am getting a little paranoid but I'm adding this to my GPO Software restrictions. It is probably overkill but it can't hurt.

 

Just trying to stay ahead of the curve

Nother peece of malware crap

 

Will there become a unlocker avaibole for this one? It scares me if I lost all my data.

Unfortunately, not at this time. Unless we get access to the keys, nothing can be done.

How is the protection of it, for example with EAM?

Pretty good in fact. EAM and MBAM both detect the main installer. So if you had either installed you would not have been infected.

 

Thanks!

 

I've both installed EAM and MBAM so I must be safe?

Since this morning Forefront security (on exchange) also blocks this, Barracuda EMail Security blocks it as well.

hi all, so i came across a new variant of this cryptolocker with the 92hour timer in english. I have managed to use a few tools to clear the infection but now the https://www.decryptcryptolocker.com/ tool does not work to decrypt the infected files. anyone had some luck with another tool?

 

thanks

Decryptcryptolocker.com does not work with this ransomware. At this time there is no free decryption method.

This bleep happened to me the other day. It literally STOLE my life from me. I am an aspiring musician with loads of lyric and song fragments that I've created over the years.

Its all gone. ..

They wanted 1.9 bitcoin. Which is around 415$ USD. As a person with little money, I have no means to pay. But if I did I would pay in an instant to save irreplaceable files. ..

I tried everyday to conjure up the money and to no avail...

I've nothing to add here just a whiny post. I know there's nothing to be done without the private key. But damn, I hope in the future there will be a way to decrypt these precious files for me.

Yes I know I should have backed up my irreplaceable files, thats the last thing I think about when I'm trying to be creative. Sucks for my dumbass self.