CTB-Faker

CTB-Faker is a low-quality ransomware threat that imitates CTB-Locker, a well-known encryption ransomware Trojan. CTB-Faker claims to encrypt the victim's files, in the manner of CTB-Locker and other threatening ransomware Trojans. However, CTB-Faker merely moves the victim's files to a ZIP archive that is protected with a password. CTB-Faker demands the payment of a ransom of 0.08 BitCoin, which is approximately $50 USD at the current exchange rate. Computer users should avoid paying the CTB-Faker ransom, especially since it is relatively simple to recover from a CTB-Faker infection when compared to real encryption ransomware Trojans.

CTB-Faker – Fake Allegations, Real Problems

PC security analysts may help computer users to recover from CTB-Faker infections if they can provide a copy of the original CTB-Faker installer. CTB-Faker includes image resources that are used in the CTB-Faker ransom note. Curiously, many of these images are obtained from online PC security websites, which were identified through watermarks on the images. It seems that the developers of CTB-Faker have used images taken from other threats (such as ZeroLocker, specifically) to create their own fake ransom notes. CTB-Faker is being distributed on online adult websites. CTB-Faker has been associated with bogus profile pages on these websites, which supposedly lead to password-protected online stripping videos.

How CTB-Faker Carries out Its Infection

When a computer user clicks on the link to these adult videos, a ZIP file is downloaded. This file, hosted on JottaCloud, is not particularly sophisticated. It relies on the computer users extracting the contents and running the included executable file (trusting that the motivation of watching a pornographic video would be enough for computer users to take all of the risks inherent in this). When computer users execute the file, it will pretend to encrypt the victim's files. CTB-Faker is not an encryption ransomware Trojan. Essentially, CTB-Faker is a WinRAR SFX file that extracts several batch, VBS, and executable files onto the victim's ProgramData directory. The VBS file displays a fake error pop-up notification that claims that the victim has a graphic card error, preventing the adult video from loading. This gives CTB-Faker time to carry out its attack in the background.

While the victim is busy dealing with CTB-Faker's pop-up, CTB-Faker will use the bundled WinRAR application to create a ZIP archive named 'Users.zip' which is stored on the C: drive. This file will contain all files in the Users directory with the extensions listed below:

.exe, .msi, .dll, .jpg, .jpeg, .bmp, .gif, .png, .psd, .mp3, .wav, .mp4, .avi, .zip, .rar, .iso, .7z, .cab, .dat, .data.

CTB-Faker moves the files, rather than copying them, making the affected computer slower while the process is being carried out substantially. At the end of the process, CTB-Faker deletes the files involved and reboots the affected computer. The victim will then be presented with a ransom note.

Infected Computer Users can Recover Their Files without Paying the Ransom

CTB-Faker's ransom note claims that the victim's files were encrypted (in a manner similar to real encryption malware). CTB-Faker demands the payment of its ransom to the BitCoin address 1NgrUc748vG5HerFoK3Tkkb1bHjS7T2w5J and instructs the victim to email miley@openmailbox.org to receive the password. Other BitCoin addresses associated with the same attack have received various payments, meaning that CTB-Faker attacks have been carried out successfully. The payment of the CTB-Faker ransom is not a recommended solution. CTB-Faker is not a real encryption Trojan, and the files may not be difficult to recover. However, the steps involved in becoming infected with CTB-Faker include a fair amount of carelessness on the user's end, meaning that CTB-Faker attacks can be easily prevented by simply being more cautious when browsing the Web.