Jun 02, · The CTB Locker virus (Curve-Tor-Bitcoin Locker virus) is dangerous malware and a cryptovirus found in the ransomware category of computer infections, similar to the FBI virus. The malware, the name of which stands for ‘Curve Tor Bitcoin Locker’, was first identified last year. However, the spam distribution approach appears to be a relatively new development. McAfee. CTB-Locker stands for Curve Tor Bitcoin Locker. Here are some of the new features at a glance: Hides from authorities by communicating to command and control over the TOR anonymous network. Uses elliptic curve cryptography for encrypting your files. This encryption is a lot faster than cryptolockers, so once it get’s on your PC or mapped.
Curve-tor-bitcoin lockerBitcoin Ransomware Now Spreading via Spam Campaigns
Anecdotal evidence suggests. The victim then has to pay a ransom to have the files decrypted. Once the encryption is complete, the user is informed of the attack through a pop-up ransom message. The message displays a hour countdown. If the user does not pay the bitcoin ransom within 96 hours, the decryption key is destroyed and the files remain permanently encrypted.
The pop-up allows the user to see the list of encrypted files, along with information on how to make a payment and get the decryption code. Symantec identifies the final payload as Trojan. The malware is being propagated via spam campaigns, as a. The zipped file contains the downloader for CTB-Locker. Aside from standard sound security practices eg: not opening.
The best way of reducing the impact of a potential crypto ransomware attack is to backup valuable files on a regular basis. So far, researchers have uncovered the following names used to store the downloader: malformed. If your files have become encrypted and you are not going to pay the ransom then there are a few methods you can try to restore your files. The first and best method is to restore your data from a recent backup.
If you have been performing backups, then you should use your backups to restore your data. It appears that when CTB Locker encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original.
Due to this you can may be able to use a file recovery software such as R-Studio or Photorec to recover some of your original files. It is important to note that the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files. As a last resort, you can try to restore your files via Shadow Volume Copies. Unfortunately, this infection will attempt to delete any Shadow Volume Copies on your computer, but sometimes it fails to do so and you can use them to restore your files.
For more information on how to restore your files via Shadow Volume Copies, please see the link below:. If you had your dropbox account mapped as a drive letter then it is possible that its contents were encrypted by CTB Locker.
If this is the case you can use the link below to learn how to restore your files. If you had System Restore enabled on the computer, Windows creates shadow copy snapshots that contain copies of your files from that point of time when the system restore snapshot was created. These snapshots may allow us to restore a previous version of our files from before they had been encrypted.
This method is not fool proof, though, as even though these files may not be encrypted they also may not be the latest version of the file. Note: Newer variants of CTB Locker will attempt to delete all shadow copies when you first start any executable on your computer after becoming infected.
Thankfully, the infection is not always able to remove the shadow copies, so you should continue to try restoring your files using this method. In this section we provide two methods that you can use to restore files and folders from the Shadow Volume Copy. The first method is to use native Windows features and the second method is to use a program called ShadowExplorer. It does not hurt to try both and see which methods work better for you.
To restore individual files you can right-click on the file, go into Properties , and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up as shown in the image below.
To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to. If you wish to restore the selected file and replace the existing one, click on the Restore button.
If you wish to view the contents of the actual file, you can click on the Open button to see the contents of the file before you restore it. This same method can be used to restore an entire folder. Simply right-click on the folder and select Properties and then the Previous Versions tabs.
You will then be presented with a similar screen as above where you can either Copy the selected backup of the folder to a new location or Restore it over the existing folder. You can also use a program called ShadowExplorer to restore entire folders at once.
When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.
When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive blue arrow and date red arrow that you wish to restore from.
This is shown in the image below. To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to. How to restore files that have been encrypted on DropBox folders. If you have DropBox mapped to a drive letter on an infected computer, CTB Locker will attempt to encrypt the files on the drive.
DropBox offers free versioning on all of its accounts that will allow you to restore encrypted files through their website. Unfortunately, the restoral process offered by DropBox only allows you to restore one file at a time rather than a whole folder. If you need instructions on restoring an entire folder in DropBox, please click here.
To restore a file, simply login to the DropBox web site and navigate to the folder that contains the encrypted files you wish to restore. Once you are in the folder, right-click on the encrypted file and select Previous Versions as shown in the image below.
When you click on Previous versions you will be presented with a screen that shows all versions of the encrypted file. Select the version of the file you wish to restore and click on the Restore button to restore that file. Unfortunately the process outlined above can be very time consuming if there are many folder to restore. In order to restore an entire folder of encrypted files, you can use the dropbox-restore python script located here.
Please note that this script requires Python to be installed on the encrypted computer to execute the script. This bitcoin address will be unique to your computer and will not be used by others. Once a payment is made you must wait until there are a certain amount of bitcoin confirmations before your private key and a decrypter will supposedly be made available for download.
At this time the infection is too new to know if paying the ransom will actually get you a decryption tool. Will paying the ransom actually decrypt your files? At this point the infection is too new to know the answer to this question. As we learn more, we will update this FAQ to contain this information.
How to prevent your computer from becoming infected by CTB Locker. You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths.
For more information on how to configure Software Restriction Policies, please see these articles from MS:. To create these Software Restriction Policies, you can either use the CryptoPrevent tool or add the policies manually. Both methods are described below. This is a useful feature as it will make sure the restrictions that are put in place do not affect legitimate applications that are already installed on your computer.
Once you run the program, simply click on the Apply Protection button to add the default Software Restriction Policies to your computer. If you wish to customize the settings, then please review the checkboxes and change them as necessary. If CryptoPrevent causes issues running legitimate applications, then please see this section on how to enable specific applications. You can also remove the Software Restriction Policies that were added by clicking on the Undo button. If you are a home user you should create these policies using the Local Security Policy editor.
If you are on a domain, then your domain administrator should use the Group Policy Editor. To open the Local Security Policy editor, click on the Start button and type Local Security Policy and select the search result that appears.
In this guide we will use the Local Security Policy Editor in our examples. Once the above screen is open, expand Security Settings and then click on the Software Restriction Policies section. If you do not see the items in the right pane as shown above, you will need to add a new policy. This will then enable the policy and the right pane will appear as in the image above. You should then click on the Additional Rules category and then right-click in the right pane and select New Path Rule You should then add a Path Rule for each of the items listed below.
If the Software Restriction Policies cause issues when trying to run legitimate applications, you should see this section on how to enable specific applications. Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.
Block executables run from archive attachments opened using Windows built-in Zip support:. If you need help configuring this, feel free to ask in the CTB Locker help topic. How to allow specific applications to run when using Software Restriction Policies. This is because some companies mistakenly install their applications under a user's profile rather than in the Program Files folder where they belong.
Due to this, the Software Restriction Policies will prevent those applications from running. Thankfully, when Microsoft designed Software Restriction Policies they made it so a Path Rule that specifies a program is allowed to run overrides any path rules that may block it.
Therefore, if a Software Restriction Policy is blocking a legitimate program, you will need to use the manual steps given above to add a Path Rule that allows the program to run.