CBT-Locker

[ZooloGie]

So there is a new "Cryptolocker" going around called CBT-Locker, my first case was on Monday, and after that 5 other clients was infected as well, the source is via email that seem to be a fax with a zip file, the sender and file name is different every time but inside the zip file there is a *.scr file, once executed the ransomeware start encrypting all your files on local end mapped drives, then it will change your background and give a pop up screen telling you that you have 96 hours left to pay with a count down timer.

how many other cases are there so far ?

 

[grim]

Looks like it's been around since June/July last year.

You should be blocking zip files that contain .scr files or any other executable file from being delivered to the users

 

[moondoggie86]

They are doing the same in Steam as well. You would get a link sent from one of your Steam friends with the link that opens a dialog box to install an .scr file.

 

[NinjaBen]

Yes, I handled a lot of cases for this malware on Monday/Tuesday. The malware comes in via e-mail and then when executed encrypts your data and appends a randomly generated extension to the encrypted file. When the process is complete the ransom message is displayed. Not this is an updated version to the one we saw in July and November of last year.

Yes this malware has been in the wild before but this is common. Malware, just like normal software, goes through update/upgrade cycles. The authors have obviously updated their malware and rereleased it. The first cases I handled were from Sunday.

Currently, most AV vendors should be detecting the malware however the best defense against a threat like this is policy based. Common sense helps.

@moondoggie your comments about the file being sent through steam are intruiging. Did this happen recently? If so, please report: http://www.valvesoftware.com/security/

There is basically no hope of getting the data back unless you pay the ransom.

 

[Quad!]

HI everyone,

I got this CTB-Locker Virus from a client pc and run it in Virtual environment with Process Monitor.
The Process Monitor Log show all the Read & Write steps the virus does to Registry and Files on Pc.
Even infecting the Virtual Pc Offline with no internet access. The CTBL still allow you to Decrypt 5 file on you Pc.
So, I think there is Maybe a way to Find the Decrypting Key to Unlock your Encrypted files by going through the Process Monitor Log to see if it left any key or secret file somewhere..

The Process Monitor log is a little bit long for me to sort and read through, and wonder it anybody can help solve the Encrypted files problem? Or even you can see yourself what the CTBL does.

Here is where you can download the CTB-Locker Virus Process Logfile.CSV (1.6MB)
http://www.filedropper.com/ctb-lockervirusprocesslogfile
Anybody is welcome to download the Log and check it out for yourself.

I notice the Virus created a file and access it allot in the follow Directory (File got no extention)
Appdata\Local\VirtualStore\ProgramData\Microsoft\wngnewd
Thinking this could maybe be the Decrypting Key or more info about the CTBL Virus. But I don't know how to read this file?

Hopefully my info could help decrypting your files or anyone can use this Process Log for solving this problem.
Please let me know if someone figure decrypting your files out.

Regards..

 

[qdada]

This is the nastiest thing i have ever been asked to deal with.
I hope they shut these guys down but 6 months down the road, i doubt anyone is doing anything about it.

 

[Hanks]

My company also got infected with this virus this past week.As we speak iam busy tighting up security on the network.If u in a domain environment setup Software restriction policies using GPOs.

 

[Grep]

It was a rough week, clients got infected. Luckily the backups worked like a charm.