Crypto Ransomware CTB-Locker (Critroni.A)

This article was posted more than 1 year ago. Please keep in mind that the information on this page may be outdated, insecure, or just plain wrong today.

Move over CryptoLocker, there’s a newer and meaner kid on the block.
CTB-Locker, or Curve-Tor-Bitcoin Locker, makes use of the Tor ((Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.)) network to maintain anonymity, making tracing the culprits more difficult and detected infections are on the rise since June of this year.
This strain of ransomware also compresses the files it encrypts, using Zlib, and employs ECDH (Elliptic Curve Diffie-Hellman ((Elliptic curve Diffie–Hellman (ECDH) is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public–private key pair, to establish a shared secret over an insecure channel.[1][2][3] This shared secret may be directly used as a key, or better yet, to derive another key which can then be used to encrypt subsequent communications using a symmetric key cipher. It is a variant of the Diffie–Hellman protocol using elliptic curve cryptography.))) encryption, another unusual feature. The ransomeware’s author insist that decryption of files without payment is impossible due to RSA-3072 encryption
Like Cryptolocker, CTB-Locker/Critroni generates a public and private key pair for every infected system. The public key is stored on the infected computer and given to the victim, who is then asked to pay a ransom in Bitcoin in order to recover the files.
The private key, which is used to decrypt the files, is stored on a remote command-and-control server that, in the case of Critroni, can only be accessed over the Tor anonymity network. This is a precaution that the creator has taken in order to make it difficult for law enforcement agencies or security researchers to identify and shut down the server.
Critroni was designed to complete the file encryption operation locally before connecting to the command-and-control server. This also makes it hard for network security products to detect it early and block it by analyzing traffic.
Again, similar to CryptoLocker, there is a 72 hour window of “opportunity” to pay up and get a decryption key.
A more in-depth analysis and walkthrough of this new crypto ransomware can be viewed on the Kafeine’s, a French security researcher, blog.
Touted as the CryptoLocker replacement, this is just another reminder call to make sure you have a good backup strategy.