CTB-Locker ransomware campaign spotted in the wild

Aug 1, 2015 09:37 GMT  ·  By
The email sent to users to trick them into downloading the CTB-Locker files
2 photos
   The email sent to users to trick them into downloading the CTB-Locker files

It only took two days for the first Windows 10 ransomware campaign to be detected, as Cisco's Talos Security Intelligence and Research Group reports.

As with all ransomware campaigns we've seen recently, attackers have a predisposition to use hot events to trick users into downloading malicious files on their PCs.

Being released two days ago, Windows 10 has already been installed on over 67 million computers, and the numbers are about to go higher since the company is anticipating to hit 1 billion installs.

This makes Windows 10 a hot topic for ransomware campaigns, and the Cisco Talos team has already come upon one of them.

The attackers, using an IP address assigned to Thailand, are distributing carefully-crafted emails to users, inviting them to install Microsoft's Windows 10 OS.

CTB-Locker used to lock unsuspecting users out of their PCs

These emails come with an attachment, a ZIP archive which contains an executable that delivers the payload: CTB-Locker.

If your antivirus doesn't detect it and you forget to scan the archive using Web services like VirusTotal, you'll get yourself locked out of your computer and greeted by a message like the one below.

According to the Cisco team, "the functionality is standard [...], using asymmetric encryption that allows the adversaries to encrypt the user’s files without having the decryption key reside on the infected system."

Users are given only four days to pay the "ransom," a much smaller window compared to what other ransomware campaigns are currently using.

"Also, by utilizing TOR and Bitcoin" the attackers "are able to remain anonymous and quickly profit from their malware campaigns with minimal risk."

The Cisco Talos team recommends users to create backups of their PCs on a regular basis, which they should store offline. Additionally, server admins are encouraged to use Cisco products like AMP, CWS, WSA, ESA, or Network Security to prevent these threats from ever reaching users.

At Softpedia, we also encourage upgrading your PC to Windows 10 using the steps described by our Windows testers.

The message shown on infected computers
The message shown on infected computers

CTB-Locker Windows 10 ransomware campaign (2 Images)

The email sent to users to trick them into downloading the CTB-Locker files
The message shown on infected computers
Open gallery