Top 3 Ransomware Familier af 2015. CTB-Locker - Hvordan, Teknologi og pc-sikkerhed Forum | SensorsTechForum.com
TRUSSEL FJERNELSE

Top 3 Ransomware Familier af 2015. CTB-Locker

Vores 3-del artiklen serien fortsætter med en detaljeret beskrivelse og analyse af CTB-Locker. Hop til the first part dedicated to CryptoWall – the biggest ransomware family of 2015.

CTB-Locker/ Critroni Ransomware Background Check

Security researchers have observed thousands of cases of CTB-Locker infections. CTB-Locker, or as it’s also known – Critroni, was first made available on underground forums in June 2014. The name CTB-Locker stands for Curve-Tor-Bitcoin, referring to the Curve elliptic encryption scheme applied for the file encryption. We all know what Tor and Bitcoin stand for.

Top3-Ransomware-Families-2015-CTB

When it first emerged, CTB-Locker’s ransom message was available in two languages only – Russian and English. Men, things changed quickly and the ransom message started appearing in other languages as well. The ransomware has targeted Italian, hollandsk, tysk, spansk, Latvian and French-speaking users by pretending to be a financial institution and sending out malicious attachments.

CTB-Locker Unique Features

Som forventet, CTB-Locker’s command & control servers are located in the Tor network. Men, they don’t play much role in the initial infection. What is particularly interesting about CTB-Locker is the fact that no Internet connection is needed for the encryption process to be completed. As with the encryption, the Italian researcher Zairon (here’s his blog https://zairon.wordpress.com/) has cleared out another unique feature of CTB.

The ransomware uses an encryption which is a combination of SHA-256 and the Curve elliptic encryption method. Restoring the encrypted files is only possible with the Master key which is hosted on the attackers’ server.

CTB-Locker also offers an affiliate program where other ‘volunteers’ can join the ‘program’ and get a cut of the collected ransoms. The program is also hosted on Tor, where an updated log is kept on whatever is new with the functionalities of the ransomware.

CTB-Locker Network Behavior

We have already specified that CTB-Locker doesn’t need Internet connection in order to encrypt the user’s files. Once such connection is obtained, the ransomware will send the encryption information to the control server hosted on Tor anonymous network. For at gøre dette, CTB uses the Tor2Web service, designed to act like a proxy. Også, CTB can check online for its external IP address.

CTB-Locker File-System Behavior

As with other ransomware threats, CTB drops a ransom message on the targeted system after the encryption process has finished. The lock screen image may look like this:

CTB-Locker-Critroni-ransomware-message-sensorstechforum

Også, a pop-up application stored on the local machine can be displayed, containing instructions on the payment such as:

  • A payment ID.
  • A list of the encrypted files.
  • A countdown counter.

A copy of the same text is stored on the file-system as a text file, together with a copy of the background image. CTB-Locker is designed to disable the Volume shadow copies on the system.

Bliv hængende! Part III is coming soon! Indtil da, du er velkommen til at deltage i vores sikkerheds fora og fortæl os om dine erfaringer med ransomware!

donload_now_250
Spy Hunter scanner kun detektere trussel. Hvis du ønsker, at truslen skal fjernes automatisk, du nødt til at købe den fulde version af anti-malware værktøj.Læs mere om SpyHunter Anti-Malware værktøj / Sådan fjernes SpyHunter

Avatar

Milena Dimitrova

En inspireret forfatter og indhold leder, der har været med SensorsTechForum for 4 år. Nyder ’Mr. Robot’og frygt’1984’. Fokuseret på brugernes privatliv og malware udvikling, hun tror stærkt på en verden, hvor cybersikkerhed spiller en central rolle. Hvis almindelig sund fornuft giver ingen mening, hun vil være der til at tage noter. Disse noter senere kan blive til artikler! Følg Milena @Milenyim

Flere indlæg

Følg mig:
Twitter

Efterlad en kommentar

Din e-mail-adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Frist er opbrugt. Venligst genindlæse CAPTCHA.

Del på Facebook Del
Loading ...
Del på Twitter Tweet
Loading ...
Del på Google Plus Del
Loading ...
Del på Linkedin Del
Loading ...
Del på Digg Del
Del på Reddit Del
Loading ...
Del på Stumbleupon Del
Loading ...