Critroni Ransomware Decryption: Not an option

Files EncryptedCritroni ransomware, aka CTB-locker, has made a comeback in 2015. This threat is very similar to other types of crypto-ransomware we have covered.

A quick summary of how these threats work:

  1. Infection begins when a user downloads an attachment from a malicious email or visits an infected website. A “dropper” is installed onto the machine.
  1. The dropper downloads and installs the full malware package.
  1. The malware searches for targeted files and encrypts them. It searches the machine and all available network shares and connected drives.
  1. The malware notifies the user of the situation, demands a ransom in Bitcoins, and gives a deadline for payment. Instructions are given for how to acquire Bitcoins and pay.
  1. If the ransom is not paid by the deadline, the decryption key is destroyed, making it impossible to decrypt the files.

Related - Ransomware: How to prevent a crypto crisis at your business

There are many variations on this theme (Critroni allows you to decrypt up to five files, for example), and it changes constantly.

What's new in Critroni / CTB-locker

We covered the nasty bug last summer, but now it’s back with a few changes:

  • Extra day – Victims now get 96 hours, or four days, to pay the ransom instead of the previous 72 hours.
  • Free decryption – Victims can also decrypt up to five files after infection. This shows victims their files can be returned, thereby encouraging them to pay the ransom.
  • Larger ransom – The fee demanded has jumped to 3 Bitcoins, or roughly $650 dollars, up from just $24 last summer.
  • Multi-lingual – Victims can read payment instructions in German, Italian, Dutch, and English.

The above information comes from the Security Intelligence Blog.

Face it: Decryption is impossible

Once files are caught in Critroni’s snare, it is impossible to decrypt them without paying the ransom.

(Side note: some people were able to decrypt files locked by Cryptolocker last year after government agencies and security firms seized its servers. However, this is not expected to happen with Critroni in the near future.)

In our eyes, paying the ransom is not an option. First, it might not work. Second, it would only perpetuate the problem.

Backing up your files and taking preventive measures are the best ways to combat this threat.

Back up your files – now

The only way to recover from a Critroni infection without paying the ransom is to remove the malware and restore your files from backup.

If you take one thing away from this post, make it this: back up your files. Now. A good backup can make the difference between an inconvenience and a disaster.
Operating your business without backups is like driving while blindfolded. One day you will crash. And it will hurt.

If you have backups and are infected, here’s what to do:

  1. Use Malwarebytes or another anti-malware solution to detect and remove the infection.
  1. Delete the files encrypted by Critroni.
  1. Restore the files from a backup.

More info: Absurdly simple guide to backing up your PC


Backing up your files is one preventive measure. There are many others you can take to avoid infection:

Block - Critroni / CTB-locker infections usually begin with a “.scr” file compressed in a “.zip” or “.cab” archive, according to Société Générale CERT. If possible, block “.scr” files at the email gateway and establish application and device control policies to prevent their execution.

Patch – Always maintain the latest versions of your firmware, antivirus, operating systems, and other systems. Routinely update as new patches become available.

Educate – Explain to users the dangers and warning signs of phishing emails and suspicious attachments.

Plan – Assume disaster is inevitable. Plan how you will respond.

Configure – Adjust security settings to prevent forced downloads.

Control – Use web filtering to control the sites users can access. Use egress or outbound traffic filtering to prevent connections to malicious hosts.

You cannot stay ahead of their game

Crypto-ransomware is in style. Hundreds of thousands, possibly millions, of variations exist. They have the same core approach: encrypt files, give a deadline, and demand a ransom.

Whether you call it Cryptolocker, CryptoWall, or Critroni, the threat is here and your anti-virus software cannot stay ahead of it. Hackers are altering and improving their code constantly.

So what do you do? In short, back up your files and focus on prevention.


Related resources

Ransomware: How to prevent a crypto crisis at your business

CryptoWall 2.0: Ransomware is alive and well

Ransomware: Hello Critroni and Goodbye Cryptolocker

Top Threats: How to prevent Cryptolocker

Written by Calyptix

 - February 4, 2015

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram