Hackers have cleverly designed a method of attack to distribute CTB-Locker or Critroni crypto ransomware, arriving through spam messages and other social engineering techniques to bait victims in several different countries.
CTB-Locker is one of the newer variants in the crypto ransomware family, a kind of malware that encrypts victims’ hard drives and demands a relatively large payment in order to get the decryption key. The most famous strain of this kind of malware is CryptoLocker, which has infected tens of thousands of machines and generated millions of dollars of revenue for the group behind it.
CTB-Locker is now prevalent, and it has some interesting features. The CTB in the name stands for Curve-Tor-Bitcoin, and the malware uses elliptic curve cryptography to lock up users’ files. It also has used the Tor anonymity network for command and control operations and it typically demands the ransom payments in the form of Bitcoin.
“It uses C2 hidden in the Tor network. Previously we haven’t seen cryptomalware having C2 in Tor. Only banking trojans,” Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat, said at the time of the initil analysis. “Executable code for establishing Tor connection is embedded in the malware’s body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware’s body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general.”
“The common infection vector is via an email containing a fake invoice compressed in a “.zip” or “.cab” archive file. The archives contain a binary (Dalexis dropper, usually in an “.scr” file) which, once opened, displays a decoy RTF document, waits for 5 minutes and then drops the actual CTB-Locker payload, which in turn performs the encryption routines,” an analysis from the CERT team at Société Générale says.
Ransomware has become the favorite for hackers to exploit weaknesses.. This CTB-Locker is very clever and will likely bring much success… for the hackers, clearly not the goal. There are existing solutions available; all answers will involve the user learning and being aware of what to do in advance, still a bad plan. Technology companies have to recognize the need to design technology to make life simpler for the user, not complicate it. Rather than tech companies keeping up with the Jones, lets design for the Jones’s. Let’s design and implement security solutions on devices that don’t depend on the end user to protect their data to avoid a threat.
The phone data from the outset should be impenetrably encrypted to prevent data from being compromised from the ransomware. Malware detection and prevention is an essential tool, unfortunately the exploit can enter the users phone before the detection solution is available. Encrypting the data on the phone will prevent the ransomware from finding the data to exploit. This keeps the user protected even if they open an infected decoy file.
Users will always click on something, just like a person sick with a virus will inevitably not wash their hand or touch something allowing the spread. Malware and breaches are an epidemic and we need to inoculate our devices to protect our data from these threats.
For more articles by Richard Blech, visit securechannels.com