CTB-Locker Ransomware Includes Freemium Feature, Extends Deadline

Last July we came across a crypto-ransomware variant known as Critroni or Curve-Tor-Bitcoin (CTB) Locker. We observed recent improvements to the CTB malware, which now offer a “free decryption” service, extended deadline to decrypt the files, and an option to change the language of the ransom message. These new variants also demand payment of 3 BTC (around $USD 630), while older ones seen in July only charged .02 BTC, or $USD 24.

Along with these improvements, we are also seeing a spike in these attacks in several regions, mainly in Europe-Middle East-Africa (EMEA), China, Latin America and in India.

CTB-Locker Infection

We have previously reported about CTB Locker’s use of Tor to hide its activities but this new variant comes with notable, new differences.

This CTB-Locker variant arrives via spammed emails. These spammed messages were sent in different languages and often pretend to contain important notices so that the recipient is tricked into opening the attachment, which we noticed was archived twice.

Some of the spam samples used in these attack were sent by systems that are part of the long-running CUTWAIL botnet. CUTWAIL is known for reusing available resources (including bots); it should not be a surprise that some of the IP addresses identified as part of this spam run have been part of our spam blacklists for years, with some addresses being blacklisted as early as 2004.

Figure 1. Sample spam emails with malicious .ZIP attachment that contain the downloader malware, TROJ_CRYPCTB.SMD

The attachment is actually a downloader malware, detected as TROJ_CRYPCTB.SMD. This malware connects to several URLs, leading to the download of the CTB-Locker malware onto the computer. This ranswomware is detected as TROJ_CRYPCTB.SME. Checking these URLs, we determined that they are all compromised and based in France. The malware goes through a round-robin type of method to select which URL to download the malware from.

Here’s a diagram explaining the attack, whose infection chain begins with the spammed message accompanies with a malicious .ZIP attachment as show in the sample spam in Figure 1.

Figure 2. Sample CTB-Locker infection chain

New Developments

The older TROJ_CRYPCTB.A variant seen in July gave users only 72 hours, while this new one allots users 96 hours for payment. The extension of the deadline might be for practical reasons: a longer deadline could mean more victims will be able to pay the fee.

Pressing “next” leads to a page that displays a “Test Decryption” portion, in which the malware entices users with this freebie. The “Test Decryption” portion allows decrypt for five random files, seemingly to convince users that the decryption actually works. There are additional instructions that inform the user not to rename or delete files, and only chosen files will be decrypted. The malware also displays the ransom message in other languages like German, Dutch, and Italian.

Pressing ‘Next’ leads to the payment page, where the malware instructs victims to pay the amount of 3 BTC or $USD 630 in order to proceed with the file decryption; otherwise, all the files will permanently remain encrypted. The message also includes instructions on paying the ransom via Tor browser. Below is a comparison between the older CBT-Locker variant we saw in July 2014 and its latest version.

Figure 3. New CBT-Locker variant demands up to $USD 630 or 3 BTC in order for users to decrypt their files

The message states that victims must pay the ransom by the deadline. Otherwise, all the files will permanently remain encrypted.

Analysis of the variant revealed a feature previously unseen in CTB Locker variants—the chance to decrypt files for free. This freemium model was seen in the malware CoinVault, but this CTB Locker variant upped the ante by allowing the victim to choose five files, rather than just one, to be decrypted.

The free decryption can be seen as a way to convince users to pay the ransom. Decrypting the files show the victim that their other files can actually be recovered—if they pay the fee.

Figure 4. “Free decryption” service

Another unique function or feature found in this variant is that the ransom message gives the user the option to select the language, apart from English. So far, three more languages were spotted:, Italian, German, and Dutch.

Figure 5. Random messages in three more languages. Top left: Italian; Top right: German; Bottom: Dutch

Protection Against Crypto-Ransomware

The first line of defense in staying protected against this new type of ransomware is knowing how to properly discern spammed emails from legitimate ones. Though some emails may look legitimate in nature, it’s always best to check the sender’s address, subject line, and of course email contents for anything that appears suspicious.

Always remain cautious when dealing with unfamiliar files, emails, URLs, and most especially, email attachments. While it might be tempting to take the “free decryption” bait and pay the ransom, there is no guarantee that the cybercriminals will actually decrypt your files and have everything back to normal.

Users should also remember to routinely back up their data. The 3-2-1 principle should be in play: three copies, two different media, one separate location.

Related hashes for the downloader of CRYPCTB ransomware:

15a49a48a406902cfed2f7cfc6bcf0640aa00a46
3071c4419d5e67970206d524334ce0c65593d741
46f003336c1c726f2f8110c53292a10d0b585ded
69841be4aa6134facc24e6401a470d19d70884ee
6a1127180d19b8f9b7f1b9d2c2682eee2c0ba0b0
6eb03d6cb4f9a5aae49a9d85652a4daa4f984ba8
81f68349b12f22beb8d4cf50ea54d854eaa39c89
c2981fd43e72369de4118727b9b1117f07906dda
f1897120c2bbcd5135db0295249118aa5f5eb116
6eb03d6cb4f9a5aae49a9d85652a4daa4f984ba8
358c555cee162833706bb995cbf8d1d1ae79864a
ac34a415a7900053789d4b676eb7aa49a8fa9b5d

Related hashes for CRYPCTB:
c74fc2f0f2ff530f02b92cdc53fb731b7cf77039
81f68349b12f22beb8d4cf50ea54d854eaa39c89
0d4b6401eb5f89ff3a2cf7262872f6b3d903b737

With additional analysis by Homer Pacag, Lala Manly, Merianne Polintan, Michael Casayuran, Paul Pajares, Rika Gregorio and Ruby Santos