Securing Your Windows From Crypto Locker intrusion Attack(ctb-locker)

CTB Locker (Curve-Tor-Bitcoin Locker), otherwise known as Critroni, is a file-encrypting ransomware infection that was released in the middle of July 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. Just like other file encrypting malware, the media continues to affiliate this infection with CryptoLocker when in fact this appears to have been developed by a different group using new technologies such as elliptical curve cryptography and the malware communicating with the Command and Control server over TOR. As discovered by Kafeine, this malware also appears to be part of a kit being sold online for $3,000 USD, which includes support in getting it up and running. With that said, expect to see other ransomware released using this kit, but possibly with different interfaces. More information on how this malware is being sold can be found in Kafeine's article "Crypto Ransomware" CTB-Locker (Critroni.A) on the rise.

When you are first infected with CTB Locker it will scan your computer for data files and encrypt them so they are no longer accessible. In the past any file that was encrypted would have its file extension changed to CTB or CTB2. The current version now adds a random file extnesion to encrypted files. The infection will then open a ransom screen that states that your data was encrypted and prompts you to follow the instructions on the screen to learn how to purchase and pay the ransom of .2 BTC. This ransom amount is equivalent to approximately $120.00 USD.

When you become infected with the CTB Locker infection, the malware will store itself in the %Temp% folder as a random named executable. It will then create a hidden random named job in Task Schedule that launches the malware executable every time you login. Once infected the CTB Locker will scan your computer's drives for data files and encrypt them. When the infection is scanning your computer it will scan all drive letters on your computer including mapped drives, removable drives, and mapped network shares. In summary, if there is a drive letter on your computer it will be scanned for data files by CTB Locker.

When CTB Locker detects a supported data file it will encrypt it using elliptical curve cryptography, which is unique to this ransomware infection. When the malware has finished scanning your drives for data files and encrypting them it will display a ransom screen that includes instructions on how to pay the ransom. It will also change your wallpaper to be the %MyDocuments%\AllFilesAreLocked .bmp file, which contains further instructiosn on how to pay the ransom. Finally it will also create the files %MyDocuments%\DecryptAllFiles .txt and
%MyDocuments%\.html that also contain instructions on how to access the malware's site in order to pay the ransom. More information about the ransom site will be discussed later in this guide.

Another uncommon characteristic of this infection is that it will communicate with its Command & Control Server directly via TOR rather than going over the Internet. This technique makes it more difficult, but not impossible, for law enforcement to track down the location of the C2 servers.

Last, but not least, each time you reboot your computer, the malware will copy itself to a new name under the %Temp% folder and then create a new task scheduler job to launch it on login. Therefore, it will not be unusual to find numerous copies of the same executable under different names located in the %Temp% folder.



What should you do when you discover your computer is infected with CTB Locker

If you discover that your computer is infected with CTB Locker you should immediately scan your computer with an anti-virus or anti-malware program. Unfortunately, most people do not realize CTB Locker is on their computer until it displays the ransom note and your files have already been encrypted. The scans, though, will at least detect and remove the infection from your computer so that it no longer starts when you login to Windows.

To manually remove the infection you would need to remove any executables from the %Temp% folder and then clean the hidden job in the Windows Task Scheduler. This remove the main infection, but will not restore your encrypted files.

How to find files that have been encrypted by CTB Locker

To see a list of files encrypted by this malware you can open the %MyDocuments%\.html file. This file not only includes ransom instructions, but also contains a list of the files that have been encrypted by this malware.

If your files have become encrypted and you are not going to pay the ransom then there are a few methods you can try to restore your files.

Method 1: Backups

The first and best method is to restore your data from a recent backup. If you have been performing backups, then you should use your backups to restore your data.

Method 2: File Recovery Software

It appears that when CTB Locker encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you can may be able to use a file recovery software such as R-Studio or Photorec to recover some of your original files. It is important to note that the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files.

How to manually create Software Restriction Policies to block CTB Locker:

To manually create Software Restriction Policies you need to do it within the Local Security Policy Editor or Group Policy Editor. If you are a home user you should create these policies using the Local Security Policy editor. If you are on a domain, then your domain administrator should use the Group Policy Editor. To open the Local Security Policy editor, click on the Start button and type Local Security Policy and select the search result that appears. You can open the Group Policy Editor by typing Group Policy instead. In this guide we will use the Local Security Policy Editor in our examples.

Once you open the Local Security Policy Editor, you will see a screen similar to the one below.

Once the above screen is open, expand Security Settings and then click on the Software Restriction Policies section. If you do not see the items in the right pane as shown above, you will need to add a new policy. To do this right-click on the Software Restriction Policies button and select New Software Restriction Policies. This will then enable the policy and the right pane will appear as in the image above. You should then click on the Additional Rules category and then right-click in the right pane and select New Path Rule.... You should then add a Path Rule for each of the items listed below.

If the Software Restriction Policies cause issues when trying to run legitimate applications, you should see this section on how to enable specific applications.

Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.

Block CTB Locker executable in %AppData%

Path: %AppData%\*.exe

Block CTB Locker executable in %LocalAppData%

Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block Zbot executable in %AppData%

Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block Zbot executable in %LocalAppData%

Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables run from archive attachments opened with WinRAR:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.

Block executables run from archive attachments opened with 7zip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.

Block executables run from archive attachments opened with WinZip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.

Block executables run from archive attachments opened using Windows built-in Zip support:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.

How to allow specific applications to run when using Software Restriction Policies

If you use Software Restriction Policies, or CryptoPrevent, to block CTB Locker you may find that some legitimate applications no longer run. This is because some companies mistakenly install their applications under a user's profile rather than in the Program Files folder where they belong. Due to this, the Software Restriction Policies will prevent those applications from running.