CTB-Locker upgrades decryption key delivery system

Apr 15, 2016 16:36 GMT  ·  By
CTB-Locker upgrades decryption key delivery process to work via Bitcoin blockchain
2 photos
   CTB-Locker upgrades decryption key delivery process to work via Bitcoin blockchain

A mysterious update in the behavior of a ransomware variant targeting websites has alerted security researchers to investigate why this happened.

Their research targeted the CTB-Locker ransomware family, which is mainly known for infecting and locking computers, but has recently switched to targeting websites via a PHP version, first observed last February.

CTB-Locker March update alerted security researchers

The change that caught the eye of Sucuri experts is an update to its "Free decrypt" page where users could unlock one free file per infection.

In the versions spotted initially in February, this page actually allowed one free of charge decrypt. This changed in versions spotted in March when the ransomware authors started asking for 0.0001 Bitcoin (4 US cents).

Interestingly, this is the standard fee for a Bitcoin transaction, which got the researchers to look at the ransomware's Bitcoin wallet.

Ransomware uses failed Bitcoin transactions to send decryption keys

It didn't take long for researchers to observe that the ransomware was using the Bitcoin blockchain to deliver decryption keys for their victims using a special field in the Bitcoin transaction operation called OP_RETURN.

For each infected websites, the ransomware authors were creating a Bitcoin address, which they would monitor. If a transaction was sent to that address, which was only of 0.0001 Bitcoin, the minimum transaction fee, the crooks would determine it was for a free decrypt operation.

From another account, they would then initiate a fake transaction to the infected website's unique Bitcoin address. While this transaction never went through, it would be enough to get recorded in the blockchain as a failed operation, along with its OP_RETURN metadata.

Crooks would then use the Blockexplorer.com API to look at the OP_RETURN field which would hold the decryption key for the file submitted via the free decrypt operation. If the infected user paid the entire ransom, this same field would hold the entire master decryption key for all files.

Bitcoin blockchain is more reliable than their old system

The reason why the ransomware authors switched to this new technology is because of their previous payment checking system which utilized so-called "gates" to check if the ransom was paid and then deliver the decryption key.

All these gates were hosted on other infected websites, which could be wiped clean at any time, putting the crooks' operation in danger.

Nevertheless, the initial assessment of CTB-Locker's threat level was overestimated. Sucuri explains that many of the infected websites they saw just restored their files from older backups, which even the most incompetent hosting providers are able to provide (even if some mistakenly delete them, sometimes irreversibly).

Overall, Sucuri says it didn't see any Bitcoin wallets to which victims sent the full ransom fee, making them believe that most of the times, webmasters just restored their sites via backups.

CTB-Locker March Free Decrypt page version
CTB-Locker March Free Decrypt page version

Photo Gallery (2 Images)

CTB-Locker upgrades decryption key delivery process to work via Bitcoin blockchain
CTB-Locker March Free Decrypt page version
Open gallery