THREAT BRIEF
We are experiencing a resurgence of the malware family Critroni or Curve-Tor-Bitcoin (CTB) Locker. This is a crypto-ransomware variant which has the capability to encrypt files. It uses Tor to mask its command-and-control (C&C) communications. This particular variant arrives as an email attachment. Upon execution, it connects to several URLs to download the crypto-ransomware. It displays a ransom message. Users must pay the ransom in Bitcoins before the set deadline is done. Otherwise, all the files will permanently remain encrypted.
Notable Routines in this Variant
• This particular variant, TROJ_CRYPCTB.YN (family detection TROJ_CRYPCTB.SME) , offers users the option of decrypting 5 files for free—as proof that decryption is possible. This feature was not previously seen in other CTB Locker variants. This feature is actually found in another crypto-ransomware malware, CoinVault.
• Users are also given 96 hours, instead of 72 hours, to pay the ransom fee.
• The displayed ransom message has options for four languages, namely, English, Italian, German, and Dutch.