CTB-Locker is downloaded and installed on a system by a separate trojan-downloader program. Once installed on the system, it encrypts files on the system and displays a demand for payment in return for a decryption key to restore access to the affected files.
For more information, see:
Spread in spam emails
The CTB-Locker is spread in spam email messages containing a file attachment (typically, of type ZIP or CAB). The attachment may be double-zipped - i.e., a ZIP file contains a second ZIP file. The attachment contains an executable program that uses the .SCR extension, which makes it appear to be a screensaver program. This executable is identified as Trojan-Downloader:W32/Dalexis.
If the user opens the attachment and runs the executable program, Dalexis will contact a predetermined list of compromised websites and download an encrypted copy of CTB-Locker on the user's machine. It will then decrypt and run the ransomware.
Encryption & ranson
Once run, CTB-Locker will encrypt files on the machine and append the original filenames with a randomly generated 7-character long extension.
It will then display a ransom notice and instructions for making the payment, as well as a countdown timer showing how long the user has to pay the ransom demanded. The desktop background is changed to display the same notice and a copy of the instructions is also saved to the My Documents folder.
Details of CTB-Locker were originally included in the Cryptolocker description. They have since been moved to this threat description to minimize confusion between these two ransomware families.