Threat Database Ransomware CTB-Locker (Critoni) Ransomware

CTB-Locker (Critoni) Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 1,565
First Seen: July 22, 2014
Last Seen: June 8, 2022
OS(es) Affected: Windows

CTB-Locker (Critoni) Ransomware Image

The Critoni Ransomware (also known as CTB-Locker or Curve-Tor-Bitcoin Locker) is a file encryptor Trojan that uses the Tor browser to obfuscate its network activity with its Command & Control servers. While the Critoni Ransomware's technical innovations are noteworthy, for its victims, the Critoni Ransomware endangers their files in much the same ways as other ransomware, with a demanded payment for file restoration. Proper data backup strategies can mitigate the effects of a Critoni Ransomware attack, and anti-malware tools should be used to delete the Critoni Ransomware, and all related threats, as soon as possible.

What a Trojan’s Anonymity Means for You

The Critoni Ransomware is one of the various file encryption Trojans that may install themselves through software vulnerabilities leveraged in attacks, which tend to be implemented by Web-based threats like the Angler Exploit Kit. Just like the Critoni Ransomware's installation rarely requires any consent from its victims, its attacks also take place automatically, targeting and encrypting specific file types on your PC. Documents, images and audio files all may be made unreadable, with the Critoni Ransomware's warning TXT files claiming the use of a nigh-unbreakable elliptic curve formula in the process.

Along with asking its victims for a Tor-based payment plan to return their files to them, the Critoni Ransomware also initiates communications with a C&C server. This function could let the Critoni Ransomware receive instructions for other attacks or transmit information. The Trojan implements this feature in a semi-innovative fashion, by using Tor to prove anonymity to the C&C servers, as well. Other threats have pioneered that technique, including banking Trojans, but malware experts have yet to see any other file encrypting Trojans using the Critoni Ransomware's anonymity methodology.

In practice, this anonymity could make it more difficult for PC security researchers to disrupt the Critoni Ransomware's server infrastructure, or assist law enforcement with apprehending the Critoni Ransomware's administrators. The Critoni Ransomware's admins are not necessarily the same individuals as its coders; the Critoni Ransomware has been seen being sold to third parties on suspicious forums for sums of three thousand USD.

Getting Your Files Off of Critoni Ransomware’s Curve

While the Critoni Ransomware does boast of an exceptionally strong encryption algorithm that would make decryption difficult, there are other means of preserving your files from a file encryptor Trojan's attacks. For these reasons, malware researchers always recommend that PC users with irreplaceable data use remote file backups in conjunction with removable hard drives, cloud services, and similar storage options.

Deleting the Critoni Ransomware, itself, always should be done by dedicated anti-malware software. The Critoni Ransomware continues to be in active development and may be used by third parties with a variety of infection strategies, which may use variable, third-party threats. Accordingly, your anti-malware tools should be updated for detecting the latest threats while scanning for the Critoni Ransomware. Although the Critoni Ransomware does include a self-deletion function for unpaid ransom scenarios, victims shouldn't hope for this capability to trigger and disinfect their PCs.

Unlike some, more limited file encryptors, the Critoni Ransomware also may attack PCs that lack active Internet connections. While the Critoni Ransomware has been given visibility in news headlines for its novel C&C server communications, these communications don't appear to be mandatory for carrying out its payload.

Infection rates for CTB-Locker are increasing at alarming rates. We have found where the method of CTB-Locker encrypting files will ultimately make those files useless and they cannot be decrypted by any method, even by paying the fine through the offered payment via CTB-Locker's lock screen.
Critoni Ransomware Image 2Critoni Ransomware Image 3

Aliases

15 security vendors flagged this file as malicious.

Anti-Virus Software Detection
AVG Inject2.BJOA
Fortinet W32/Filecoder.EB!tr
AhnLab-V3 Trojan/Win32.Necurs
Antiy-AVL Trojan/Win32.Inject
Sophos Mal/Wonton-AF
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.fh
DrWeb Trojan.Encoder.853
Comodo TrojWare.Win32.Amtar.amu
Kaspersky Trojan.Win32.Inject.ttcq
Avast Win32:Injector-CLC [Trj]
K7AntiVirus Trojan ( 004b31fd1 )
McAfee RDN/Generic.dx!dhv
CAT-QuickHeal TrojanRansom.Crowti.A4
AVG Crypt3.BTGZ
Ikarus Trojan-Ransom.CTBLocker

SpyHunter Detects & Remove CTB-Locker (Critoni) Ransomware

File System Details

CTB-Locker (Critoni) Ransomware may create the following file(s):
# File Name MD5 Detections
1. jkylgdbirzboad.exe 015fb9d19a20ba42e5c3b758668d4563 3
2. ygehnnol.exe 7027a7ee4fbcb26f1d039035ebd0dca5 1
3. ljchyff.exe 7aaa4bd1c2ca44174f17f06deb6221ff 1
4. %MyDocuments%\DecryptAllFiles [USER ID].txt
5. %MyDocuments%\AllFilesAreLocked [USER ID].bmp
6. %MyDocuments%\[RANDOM].html
7. %WinDir%\Tasks\[RANDOM].job
8. %Temp%\[RANDOM].exe
9. C:\[RANDOM]\[RANDOM].exe
10. C:\Users\\AppData\Local\[RANDOM].exe
11. C:\Documents and Settings\\Application Data\[RANDOM].exe
12. C:\Documents and Settings\\Local Application Data\[RANDOM].exe
13. file.exe dbfd1e73c20bf46c5dfa8ff399c7db81 0
14. file.exe 4b4544e54740217f4a6248d49d8490d5 0
15. file.exe d00ac2f06a3e276e60434a1b27394650 0
16. file.exe 5f71e11d485585d217c2249ce951885e 0
17. file.exe 8fa0c20cbf3b8794cc17bddf96293e25 0
18. file.exe c30465dc68a9a0b946b574d14b479825 0
19. file.exe 9447d03e39cb44c898223fcd8fb61bce 0
20. file.exe dfeb332cf1ded1ea0fc0761a3efe57fc 0
21. file.exe 3f50be0bf26bec263aa64d3d942e8d01 0
22. file.exe 23b6aeafd2e7d7657aa6d05afff9c05a 0
23. file.exe 6661df9d8474b751137202aa99cecdf4 0
24. file.exe 050ddfc1ddc6e2e886272f6d254fe402 0
25. file.exe b980669fd31acb318843e3f129850195 0
26. file.exe 842046f89835d9f194888acf0320cfba 0
27. file.exe b7d2dbaccf3cd340ec97b03a091fc317 0
28. file.exe 9b733b8ff609f3086e4d5dc36454c357 0
29. file.exe c25908f6868cd919e27d7728f4e8098f 0
30. file.exe e6bc67775d6e72f06f555901fb7b47ca 0
31. file.exe 577a9bb823b4f46cce4e7f1481f77daf 0
32. file.exe 376565a2294e80daf16776e594bf3f48 0
33. file.exe 8d7bfb9738e67f99a90dd9053f43b375 0
34. file.exe 34aff4a9ed8761696559e62352af9fea 0
35. file.exe a65a63148e6f7b11eddb8f54a7fb58a5 0
More files

Registry Details

CTB-Locker (Critoni) Ransomware may create the following registry entry or registry entries:
Regexp file mask
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\[RANDOM CHARACTERS]HELP_DECRYPT[RANDOM CHARACTERS]
%userprofile%\documents\[RANDOM CHARACTERS]Decrypt-All-Files[RANDOM CHARACTERS]
%userprofile%\documents\Decrypt All Files[RANDOM CHARACTERS].bmp
%USERPROFILE%\My Documents\[RANDOM CHARACTERS]Decrypt-All-Files[RANDOM CHARACTERS]
HKEY_CURRENT_USER\Control Panel\Desktop "Wallpaper" = "%MyDocuments%\AllFilesAreLocked [USER ID].bmp"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System Components Update
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System Security

1 Comment

My name is Scott. I am a professional photographer from Michigan. On August 11, 2015 my computer was infiltrated by hackers utilizing an advanced and evolving hacking and data encryption program. It is not the only one of its kind, however the bad guys are continuing to invent new and more powerful ways to separate people and companies from the things they need the most. It is something that never should happen. It is wrong what these people do and they are doing it every day. They are doing it as I write this. They call it RANSOMWARE. It is a word I myself, a common computer user, had not hear of.
These programs go by different names. They all do about the same thing, which is to lock you out of your own computer and/or render files on your hard drive inaccessible to you and most people on the planet incidentally. It is a troublesome and disturbing new trend in cybercrime and I feel law enforcement and our government are NOT doing nearly enough to combat these people and their very REAL weapons.
They seem to be targeting at random. Individuals, Small businesses, and even law enforcement its self. There is a new shared danger in this fluid situation that is different from other computer virus programs in that even with the best protection the government has at its disposal there are people who know how to break in. Once one of these RANSOMWARE programs is able to upload onto your system you may never know it is there until it strikes. When it does, it is very fast and there is nothing you can do to stop it. Your file icons will flicker and disappear. You will see this happen as I did. The files will reappear, but in an encrypted format that MOST people will never break, it seems. You will need to know a lot about computer CODE and DECRYPTION.
If you start to see your files going away the only thing you can do is unplug your system from the wall or shit it immediately down as fast as u can. Just hit the button!! In some cases doing an immediate system restore and/or factory restore can assist in the recovery of files. It depends a lot on when your last hard drive RESTORE POINT was made. That is something you should often do, particularly if you do a lot of work on your computer and have more files you are dealing with.
The best thing you can do keep updated copies of important material. On CD as well as computer that is NOT connected at all to the internet. That is want I mostly do. I have computers for networking and I have other for editing and other things. It is best to keep things separate, now more than ever.
As of this writing there is no decryption for the version of this virus program that has locked my files from me. It is called CTB-LOCKER. It uses RSA-2048 ENCRYPTION. Please feel free to google these things so you can learn more about what these programs really are, how they work and how dangerous they really are. Or google RANSOMWARE. I am hopeful that one day soon they will catch these evil people, or the good guys will come up with a solution. Some of these people have actually stopped and released their CODES so people could actually retrieve their data, but every situation is different and no one can say for sure if decryption will ever happen. I know there are a lot of people out there like me who have been victimized by these evil people and I want them to know that I feel their pain. I want to see these evil bad people in court. I want them to know that they have HURT PEOPLE and I want to see them go away for the rest of their lives.
I want to thank Roxy Lopez again for her courage in taking on this global issue and I thank here again for her time. Hopefully together we can get this very serious issue into a greater light and maybe the bad guys will have less places to hide.

Sincerely
Scott Matthew Smith

Trending

Most Viewed

Loading...