CTB-Locker (Critoni) Ransomware Description
The Critoni Ransomware (also known as CTB-Locker or Curve-Tor-Bitcoin Locker) is a file encryptor Trojan that uses the Tor browser to obfuscate its network activity with its Command & Control servers. While the Critoni Ransomware's technical innovations are noteworthy, for its victims, the Critoni Ransomware endangers their files in much the same ways as other ransomware, with a demanded payment for file restoration. Proper data backup strategies can mitigate the effects of a Critoni Ransomware attack, and anti-malware tools should be used to delete the Critoni Ransomware, and all related threats, as soon as possible.
What a Trojan's Anonymity Means for You
The Critoni Ransomware is one of the various file encryption Trojans that may install themselves through software vulnerabilities leveraged in attacks, which tend to be implemented by Web-based threats like the Angler Exploit Kit. Just like the Critoni Ransomware's installation rarely requires any consent from its victims, its attacks also take place automatically, targeting and encrypting specific file types on your PC. Documents, images and audio files all may be made unreadable, with the Critoni Ransomware's warning TXT files claiming the use of a nigh-unbreakable elliptic curve formula in the process.
Along with asking its victims for a Tor-based payment plan to return their files to them, the Critoni Ransomware also initiates communications with a C&C server. This function could let the Critoni Ransomware receive instructions for other attacks or transmit information. The Trojan implements this feature in a semi-innovative fashion, by using Tor to prove anonymity to the C&C servers, as well. Other threats have pioneered that technique, including banking Trojans, but malware experts have yet to see any other file encrypting Trojans using the Critoni Ransomware's anonymity methodology.
In practice, this anonymity could make it more difficult for PC security researchers to disrupt the Critoni Ransomware's server infrastructure, or assist law enforcement with apprehending the Critoni Ransomware's administrators. The Critoni Ransomware's admins are not necessarily the same individuals as its coders; the Critoni Ransomware has been seen being sold to third parties on suspicious forums for sums of three thousand USD.
Getting Your Files Off of Critoni Ransomware's Curve
While the Critoni Ransomware does boast of an exceptionally strong encryption algorithm that would make decryption difficult, there are other means of preserving your files from a file encryptor Trojan's attacks. For these reasons, malware researchers always recommend that PC users with irreplaceable data use remote file backups in conjunction with removable hard drives, cloud services, and similar storage options.
Deleting the Critoni Ransomware, itself, always should be done by dedicated anti-malware software. The Critoni Ransomware continues to be in active development and may be used by third parties with a variety of infection strategies, which may use variable, third-party threats. Accordingly, your anti-malware tools should be updated for detecting the latest threats while scanning for the Critoni Ransomware. Although the Critoni Ransomware does include a self-deletion function for unpaid ransom scenarios, victims shouldn't hope for this capability to trigger and disinfect their PCs.
Unlike some, more limited file encryptors, the Critoni Ransomware also may attack PCs that lack active Internet connections. While the Critoni Ransomware has been given visibility in news headlines for its novel C&C server communications, these communications don't appear to be mandatory for carrying out its payload.
Infection rates for CTB-Locker are increasing at alarming rates. We have found where the method of CTB-Locker encrypting files will ultimately make those files useless and they cannot be decrypted by any method, even by paying the fine through the offered payment via CTB-Locker's lock screen.
Screenshots & Other Imagery
File System Details
|#||File Name||Size||MD5||Detection Count|
|14||%MyDocuments%\DecryptAllFiles [USER ID].txt||N/A|
|15||%MyDocuments%\AllFilesAreLocked [USER ID].bmp||N/A|
|21||C:\Documents and Settings\[USER]\Application Data\[RANDOM].exe||N/A|
|22||C:\Documents and Settings\[USER]\Local Application Data\[RANDOM].exe||N/A|
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.