Securing Your Windows From Crypto Locker intrusion
Attack(CTB-Locker)
What is CTB Locker or Critroni?
CTB Locker (Curve-Tor-Bitcoin Locker), otherwise known as Critroni, is a file-encrypting
ransomware infection that was released in the middle of July 2014 that targets all versions of
Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. Just like
other file encrypting malware, the media continues to affiliate this infection with
CryptoLocker when in fact this appears to have been developed by a different group using
new technologies such as elliptical curve cryptography and the malware communicating with
the Command and Control server over TOR. As discovered by Kafeine, this malware also
appears to be part of a kit being sold online for $3,000 USD, which includes support in
getting it up and running. With that said, expect to see other ransomware released using this
kit, but possibly with different interfaces. More information on how this malware is being
sold can be found in Kafeine's article "Crypto Ransomware" CTB-Locker (Critroni.A) on the
rise.
When you are first infected with CTB Locker it will scan your computer for data files and
encrypt them so they are no longer accessible. In the past any file that was encrypted would
have its file extension changed to CTB or CTB2. The current version now adds a random file
extnesion to encrypted files. The infection will then open a ransom screen that states that your
data was encrypted and prompts you to follow the instructions on the screen to learn how to
purchase and pay the ransom of .2 BTC. This ransom amount is equivalent to approximately
$120.00 USD.
When you become infected with the CTB Locker infection, the malware will store itself in
the %Temp% folder as a random named executable. It will then create a hidden random
named job in Task Schedule that launches the malware executable every time you login.
Once infected the CTB Locker will scan your computer's drives for data files and encrypt
them. When the infection is scanning your computer it will scan all drive letters on your
computer including mapped drives, removable drives, and mapped network shares. In
summary, if there is a drive letter on your computer it will be scanned for data files by CTB
Locker.
When CTB Locker detects a supported data file it will encrypt it using elliptical curve
cryptography, which is unique to this ransomware infection. When the malware has finished
scanning your drives for data files and encrypting them it will display a ransom screen that
includes instructions on how to pay the ransom. It will also change your wallpaper to be the
%MyDocuments%\AllFilesAreLocked <userid>.bmp file, which contains further
instructiosn on how to pay the ransom. Finally it will also create the files
%MyDocuments%\DecryptAllFiles <user_id>.txt and
%MyDocuments%\<random>.html that also contain instructions on how to access the
malware's site in order to pay the ransom. More information about the ransom site will be
discussed later in this guide.
Another uncommon characteristic of this infection is that it will communicate with its
Command & Control Server directly via TOR rather than going over the Internet. This
technique makes it more difficult, but not impossible, for law enforcement to track down the
location of the C2 servers.
Last, but not least, each time you reboot your computer, the malware will copy itself to a new
name under the %Temp% folder and then create a new task scheduler job to launch it on
login. Therefore, it will not be unusual to find numerous copies of the same executable under
different names located in the %Temp% folder.
What should you do when you discover your computer is infected with CTB Locker
If you discover that your computer is infected with CTB Locker you should immediately scan
your computer with an anti-virus or anti-malware program. Unfortunately, most people do
not realize CTB Locker is on their computer until it displays the ransom note and your files
have already been encrypted. The scans, though, will at least detect and remove the infection
from your computer so that it no longer starts when you login to Windows.
To manually remove the infection you would need to remove any executables from the
%Temp% folder and then clean the hidden job in the Windows Task Scheduler. This
remove the main infection, but will not restore your encrypted files.
How to find files that have been encrypted by CTB Locker
To see a list of files encrypted by this malware you can open the
%MyDocuments%\<random>.html file. This file not only includes ransom instructions,
but also contains a list of the files that have been encrypted by this malware.
How to restore files encrypted by CTB Locker
If your files have become encrypted and you are not going to pay the ransom then there are a
few methods you can try to restore your files.
Method 1: Backups
The first and best method is to restore your data from a recent backup. If you have been
performing backups, then you should use your backups to restore your data.
Method 2: File Recovery Software
It appears that when CTB Locker encrypts a file it first makes a copy of it, encrypts the copy,
and then deletes the original. Due to this you can may be able to use a file recovery software
such as R-Studio or Photorec to recover some of your original files. It is important to note
that the more you use your computer after the files are encrypted the more difficult it will be
for file recovery programs to recover the deleted un-encrypted files.
How to manually create Software Restriction Policies to block CTB Locker:
To manually create Software Restriction Policies you need to do it within the Local Security
Policy Editor or Group Policy Editor. If you are a home user you should create these policies
using the Local Security Policy editor. If you are on a domain, then your domain
administrator should use the Group Policy Editor. To open the Local Security Policy editor,
click on the Start button and type Local Security Policy and select the search result that
appears. You can open the Group Policy Editor by typing Group Policy instead. In this guide
we will use the Local Security Policy Editor in our examples.
Once you open the Local Security Policy Editor, you will see a screen similar to the one
below.
Once the above screen is open, expand Security Settings and then click on the Software
Restriction Policies section. If you do not see the items in the right pane as shown above,
you will need to add a new policy. To do this right-click on the Software Restriction
Policies button and select New Software Restriction Policies. This will then enable the
policy and the right pane will appear as in the image above. You should then click on the
Additional Rules category and then right-click in the right pane and select New Path Rule....
You should then add a Path Rule for each of the items listed below.
If the Software Restriction Policies cause issues when trying to run legitimate applications,
you should see this section on how to enable specific applications.
Below are a few Path Rules that are suggested you use to not only block the infections from
running, but also to block attachments from being executed when opened in an e-mail client.
Block CTB Locker executable in %AppData%
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.
Block CTB Locker executable in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.
Block Zbot executable in %AppData%
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of
%AppData%.
Block Zbot executable in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of
%AppData%.
Block executables run from archive attachments opened with WinRAR:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.
Block executables run from archive attachments opened with 7zip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.
Block executables run from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.
Block executables run from archive attachments opened using Windows built-in Zip
support:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows
built-in Zip support.
How to allow specific applications to run when using Software Restriction Policies
If you use Software Restriction Policies, or CryptoPrevent, to block CTB Locker you may
find that some legitimate applications no longer run. This is because some companies
mistakenly install their applications under a user's profile rather than in the Program Files
folder where they belong. Due to this, the Software Restriction Policies will prevent those
applications from running.
Thankfully, when Microsoft designed Software Restriction Policies they made it so a Path
Rule that specifies a program is allowed to run overrides any path rules that may block it.
Therefore, if a Software Restriction Policy is blocking a legitimate program, you will need to
use the manual steps given above to add a Path Rule that allows the program to run. To do
this you will need to create a Path Rule for a particular program's executable and set the
Security Level to Unrestricted instead of Disallowed as shown in the image below.
Once you add these Unrestricted Path Rules, the specified applications will be allowed to run again.