CTB Locker and Critroni Ransomware Information Guide and FAQInfo There is a CTB Locker support topic, which contains discussion about CTB Locker and the experiences of those infected. If you are interested in this infection or wish to ask questions about it, please visit the CTB Locker support topic. Once at the topic, and if you are a member, you can ask or answer questions and subscribe in order to get notifications when someone adds more information to the topic. What is CTB Locker or Critroni CTB Locker Curve Tor Bitcoin Locker, otherwise known as Critroni, is a file encrypting ransomware infection that was released in the middle of July 2. Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. I have relicensed Xdelta version 3. Apache Public License version 2. Info There is a CTB Locker support topic, which contains discussion about CTB Locker and the experiences of those infected. If you are interested in this infection. Hey Survivalists, Alpha 16 is out and is by far the largest content update weve ever done. So without further ado lets get ready to rumbleJust like other file encrypting malware, the media continues to affiliate this infection with Crypto. Locker when in fact this appears to have been developed by a different group using new technologies such as elliptical curve cryptography and the malware communicating with the Command and Control server over TOR. As discovered by Kafeine, this malware also appears to be part of a kit being sold online for 3,0. USD, which includes support in getting it up and running. Forums/getfile/318611' alt='Volume Shadow Copy Patch' title='Volume Shadow Copy Patch' />Ive got a 2008 R2 server thats having some strange issues with retaining old data in the System Volume Information folder a. Windows Server. With that said, expect to see other ransomware released using this kit, but possibly with different interfaces. More information on how this malware is being sold can be found in Kafeines article Crypto Ransomware CTB Locker Critroni. A on the rise. When you are first infected with CTB Locker it will scan your computer for data files and encrypt them so they are no longer accessible. In the past any file that was encrypted would have its file extension changed to CTB or CTB2. The current version now adds a random file extension to encrypted files. The infection will then open a ransom screen that states that your data was encrypted and prompts you to follow the instructions on the screen to learn how to purchase and pay the ransom of. BTC. This ransom amount is equivalent to approximately 1. No Matter Studios is raising funds for Prey for the Gods on Kickstarter Prey For The Gods is an action survival game set on a desolate frozen island. Term Lab Software Cracking'>Term Lab Software Cracking. To survive you. LVM1 has readonly snapshots. Readonly snapshots work by creating an exception table, which is used to keep track of which blocks have been changed. Volume Shadow Copy Patch' title='Volume Shadow Copy Patch' />USD. When you become infected with the CTB Locker infection, the malware will store itself in the Temp folder as a random named executable. It will then create a hidden random named job in Task Schedule that launches the malware executable every time you login. Once infected the CTB Locker will scan your computers drives for data files and encrypt them. When the infection is scanning your computer it will scan all drive letters on your computer including mapped drives, removable drives, and mapped network shares. In summary, if there is a drive letter on your computer it will be scanned for data files by CTB Locker. When CTB Locker detects a supported data file it will encrypt it using elliptical curve cryptography, which is unique to this ransomware infection. When the malware has finished scanning your drives for data files and encrypting them it will display a ransom screen that includes instructions on how to pay the ransom. It will also change your wallpaper to be the My. DocumentsAll. Files. Are. Locked lt userid. Finally it will also create the files My. DocumentsDecrypt. All. Files lt userid. My. Documentslt random. More information about the ransom site will be discussed later in this guide. Another uncommon characteristic of this infection is that it will communicate with its Command Control Server directly via TOR rather than going over the Internet. This technique makes it more difficult, but not impossible, for law enforcement to track down the location of the C2 servers. Last, but not least, each time you reboot your computer, the malware will copy itself to a new name under the Temp folder and then create a new task scheduler job to launch it on login. Therefore, it will not be unusual to find numerous copies of the same executable under different names located in the Temp folder. What are these new extensions like CTBL or CTB2 that are added to the encrypted files When you become infected with CTB Locker or Critroni, the infection will encrypt your files and then rename them to a new extension. Older versions of CTB Locker would change the file extension to. Sman Mars. CTBL or. CTB2, while newer ones are using a random extension such as. Therefore, these files are simply your normal data files that have been encrypted. There is no way to open an encrypted file unless you first decrypt it by paying the ransom. If you do attempt to open a file with a program, the program may state that it is corrupted or just display garbled text on the screen. The only way to recover these files so that they show the original, and correct, information is to restore them in some manner or pay the ransom. What should you do when you discover your computer is infected with CTB Locker. If you discover that your computer is infected with CTB Locker you should immediately scan your computer with an anti virus or anti malware program. Unfortunately, most people do not realize CTB Locker is on their computer until it displays the ransom note and your files have already been encrypted. The scans, though, will at least detect and remove the infection from your computer so that it no longer starts when you login to Windows. To manually remove the infection you would need to remove any executables from the Temp folder and then clean the hidden job in the Windows Task Scheduler. This remove the main infection, but will not restore your encrypted files. New variant of CTB Locker offers free decryption of 5 files. A new variant of Critroni, aka CTB Locker, now provides the ability to decrypt 5 files as proof that the malware developer can restore your files. At the main decryption screen that pops up on your desktop when you are infected, if you press next you will now be prompted to decrypt 5 files for free. Click on the image above to see full size and other associated images. When you click on the search button, it will randomly select 5 encrypted files and then decrypt them for you. This is being done to show proof that paying the ransom will actually enable you to recover your files. CTB Locker for Websites. In February of 2. CTB Locker released a new variant that targets and encrypts websites. This new version, which we have dubbed CTB Locker for Websites, is installed through hacked sites where the developer replaces the sites index. This replacement index. More detailed information and analysis can be found in this article CTB Locker for Websites Reinventing an old Ransomware. What happens if you do not pay the CTB Locker ransom in time When you are infected with the CTB Locker ransomware it will state that you have 9. This is simply a scare tactic and you will still be able to pay the ransom, but will instead need to do it through their TOR site. When the timers counts down to 0, you will be shown a Time expired screen that gives instructions on how to pay the ransom as shown below. Time Expired Screen. Once you press the Exit button, the program will be closed and the malware file will be deleted. At this point you can open the Decrypt. All. Files. txt file found in the Documents folder and follow the instructions there on how to access the CTB Locker decryption site. Is it possible to decrypt files encrypted by CTB LockerUnfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom on the CTB Locker Site. Brute forcing the decryption key is not realistic due to the length of time required to break this type of cryptography.