CTB-Locker

Classification

Category :

Malware

Type :

Trojan

Aliases :

Trojan.Downloader.CryptoLocker.F, Trojan.CTBLocker.Gen.1, Trojan-Downloader:W32/Dalexis.B, Trojan.Dalexis.Gen

Summary

CTB-Locker is ransomware that encrypts files on the affected machine and demands payment in return for the decryption key needed to restore access to the files.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Restore from backup

Like most ransomware, though the malware itself can be removed, the encryption used to take the files hostage is sufficient to make it very difficult to decrypt the files without the necessary decryption key.

In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a recent, clean backup.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

CTB-Locker is downloaded and installed on a system by a separate trojan-downloader program. Once installed on the system, it encrypts files on the system and displays a demand for payment in return for a decryption key to restore access to the affected files.

For more information, see:

Spread in spam emails

The CTB-Locker is spread in spam email messages containing a file attachment (typically, of type ZIP or CAB). The attachment may be double-zipped - i.e., a ZIP file contains a second ZIP file. The attachment contains an executable program that uses the .SCR extension, which makes it appear to be a screensaver program. This executable is identified as Trojan-Downloader:W32/Dalexis.

If the user opens the attachment and runs the executable program, Dalexis will contact a predetermined list of compromised websites and download an encrypted copy of CTB-Locker on the user's machine. It will then decrypt and run the ransomware.

Encryption & ranson

Once run, CTB-Locker will encrypt files on the machine and append the original filenames with a randomly generated 7-character long extension.

It will then display a ransom notice and instructions for making the payment, as well as a countdown timer showing how long the user has to pay the ransom demanded. The desktop background is changed to display the same notice and a copy of the instructions is also saved to the My Documents folder.

Note

Details of CTB-Locker were originally included in the Cryptolocker description. They have since been moved to this threat description to minimize confusion between these two ransomware families.