Extends deadline, offers free decryption service

Jan 23, 2015 15:15 GMT  ·  By

New strains of Critroni ransomware, also known as CTB-Locker, have been identified by security researchers to offer an extended period of time for paying the ransom, as well as offering files to be decrypted free of charge.

Previous versions of the malware required the payment to be made in 72 hours, or the fee would increase. Also, the free trial of the decryption service did not exist in earlier versions; this is intended to assure the victim of the full data recovery if the ransom is paid.

Critroni operators try new business model

In the new variants, detected in January 2015, the grace period is set to 96 hours (with no extension offered) while the amount of files that can be decrypted is five. Obviously, the new approach is designed to grow the number of victims that pay the ransom.

“Analysis of the variant revealed a feature previously unseen in CTB Locker variants—the chance to decrypt files for free. This freemium model was seen in the malware CoinVault, but this CTB Locker variant upped the ante by allowing the victim to choose five files, rather than just one, to be decrypted,” Trend Micro says in a blog post.

However, there is a downside to this, as security researchers point out that the ransom has increased to 3 BTC (currently $700 / €610). In samples from July 2014, Critroni asked for 0.2 BTC ($46 / €41).

It appears that on the list of improvements available in the new strains, the ransom message is localized, as the text can be displayed in other languages than English, with variants in German, Dutch, and Italian being observed.

Malicious emails are used to deliver the threat

Trend Micro has observed that the malware is delivered through email messages in different languages claiming to be important notices. They deliver an attachment containing a malware downloader, which is archived twice. Once the file is executed, it proceeds to download Critroni from compromised websites based in France.

The researchers have determined that the malicious messages are sent automatically from systems that are part of the Cutwail spam botnet.

As a protection measure, it is advisable to verify the address of a sender that looks suspicious and not to engage in opening files of unknown origin.

If infected with ransomware that encrypts data on the computer, it is advisable not to pay the ransom in order to discourage such fraudulent practice. Keeping regular backups, at least for the most important files, ensures their recovery in case of infection with this type of malware.

New Critroni (3 Images)

Extended period for paying the ransom
Decryption service can be tested on 5 filesRansom message is available in multiple languages
Open gallery