Crooks have set up a dynamic redirection mechanism

Feb 2, 2015 21:46 GMT  ·  By

A new wave of spam linking to file-encryption malware Critroni aims at tricking unsuspecting recipients into believing that an update for Chrome web browser is due and that it is available at the online location provided in the message.

Critroni, also known as CTB-Locker, is a ransomware type of threat that encrypts the data on the affected system and then displays a message asking the victim for a fee in order to unlock the files.

Chrome installers are downloaded from multiple locations

According to Jerome Segura from Malwarebytes, the malicious payload is downloaded from websites that appear to have been compromised by the cybercriminals for the purpose of hosting the malicious piece.

Getting the threat relies on a dynamic redirection mechanism, which has been determined to be at assetdigitalmarketing[.]com/redirect[.]php. What the victim gets is a file pretending to be an installer for Google Chrome. Once launched, the encryption process begins and the ransom message is served when the operation completes.

Retrieving the data without paying the ransom can be achieved if it’s an older variant of the malware, which does not delete the shadow copies of the files created by the Windows Volume Shadow Service. In the fortunate case that it doesn’t, the items can be recovered using programs such as Shadow Explorer; however, not all variants have this flaw.

New CTB-Locker is pricier than before

One of the most recent versions of Critroni comes with an extended grace period for making the bitcoin payment, 96 hours from the initial 72, but it also has higher financial demands, a few hundred dollars instead of less than 50 asked in the summer of 2014.

It also has versions of the ransom message in multiple languages and offers the possibility to decrypt a total of five items, as a sign of good faith.

Malwarebytes seems to have caught the newest release of the ransomware (detected as Trojan.ZBAgent.NS), as the payment request is for 2 bitcoins (currently about $450 / €400) and the deadline is 96 hours; when the waiting period is over, the key that decrypts the data is deleted from the server and the victim is left with the files encrypted.

Applied to this scam in particular, users should remember that Google Chrome activates automatically in the background without user intervention. The entire process is seamless and the new version becomes available when the user re-launches the application.

Mozilla Firefox has its own automated update process, too, while Internet Explorer receives the latest builds via Windows Update.

Notifications about a new program version are not delivered via email and most of the times there are in-program alerts. As such, before rushing to get an update from a link received via email, it is best to verify if a new revision is available for said application.

File-encryption malware (2 Images)

Ransom message from Critroni
Malicious email claiming to point to legitimate Chrome update
Open gallery