BREAKING NEWS!
In a previous advisory, dated 5 January on online attacks, it was reported that CryptoLocker was one of the most dangerous of ransomware (see Definition). It encrypts your files and asks a sum of money in exchange for the decryption key.
CryptoLocker network was taken down by state authorities and private entities last year. Well, the menace is now back and as called CTB (Curve-Tor-Bitcoin) Locker, and is one of the latest variant of CryptoLocker. It spreads via email and spam attachments.
Here’s a bit of information on the term CTB from a report by Heimdal Security:
Curve comes from its persistent cryptography based on elliptic curves, which encrypts the affected files with a unique RSA key;
Tor comes from the malicious server placed in onion-domain (TOR), which is very difficult to take down;
Bitcoin refers to the possibility to pay in bitcoins, avoiding normal payment systems that can lead back to online criminals;
Such malware is developed to be used by online criminals without much technical background. In fact they don’t need a strong technical background. Such a malware is easy to use and deploy by less knowledgeable people. This is the world of Crime as a Service (CaaS – see Definition) which has become a well-oiled machinery built on a network of players carrying out specific functions.
How does ransomware spread?
Ransomware such as CTB Locker are spread through aggressive spam campaigns. The email message is sent on the pretext a fax message that requires the recipient’s immediate response. Along with the email is an attach zip file. If the zip file is accessed, data on the computer system is encrypted and victim is asked to pay a ransom in return for the decryption key, to unlock the encrypted data.
Be aware of subject matter of emails with the following details:
disgruntled.zip
facto.zip
headband.zip
woodworking.zip
firefly.zip
Nevertheless, the list above is not exhaustive.
How does it work?
- The victim receives an email with a zip file attachment.
- When the zip file is accessed, a downloader (see Definition) is downloaded to the system.
- There is a list that the downloader uses to connect to a number of domains controlled by hackers, from which the CTB Locker is downloaded.
- One of the domains will send back and install CTB Locker on the system.
- The ransomware then encrypts the system data.
- The victim is then presented with a screen (see below) and with instructions on how to make payment for the decryption key.
Recommendation
Let’s look at how you can keep from being a victim of CTB Locker:
- DO NOT download or access email attachments from unknown sources. Even if you know the sender, be careful.
- DO NOT click links in emails, especially from people whom you don’t know.
- Create a backup of your important data onto an external media, such as an external hard disk, CD or thumb drive (USB drive).
- Adjust your web browser settings to make it more secure.
- Ensure that your Windows operating systems and any 3rd party application such as Adobe reader and other software are up-to-date with the latest security patches.
Definition
- Crime-as-a-Service – where cybercriminals offer their services for a fee.
- Ransomware – a type of malicious software that blocks access to a computer system until a ransom is paid. It basically holds you computer hostage until money is paid to the “kidnapper”.
- Downloader – software that may download malware to a computer system. It also can be an adware software.
Source
Heimdal Security