Home Malware Programs Ransomware CTB-Locker (Critoni) Ransomware

CTB-Locker (Critoni) Ransomware

Posted: July 21, 2014

Threat Metric

Ranking: 14,807
Threat Level: 10/10
Infected PCs: 44
First Seen: July 21, 2014
Last Seen: September 14, 2023
OS(es) Affected: Windows


Critoni Ransomware Screenshot 1The Critoni Ransomware is a file encryption Trojan that rearranges the data of your PC's files to block access to documents, pictures and other digital content. The Critoni Ransomware's overall goal is to acquire revenue through ransoming the restoration of these files at a high price, although malware experts would recommend restoring your data from a backup, instead. Because the Critoni Ransomware is a 2014-era threat that still is in active distribution to its clientele, you should take all appropriate anti-malware security steps for blocking its varied installation methods and if called for, removing the Critoni Ransomware from your computer.

The Ransomware that Uses Tor Both Coming and Going

The Critoni Ransomware's developers have offered the Critoni Ransomware as a supposedly new version of Cryptolocker since June of 2014, with other persons allowed to rent its services at a cost of 3,000 USD. While the Critoni Ransomware attacks often focus on Russia, its use by diverse third parties has begun to seep over into its choice of victims, putting other nations at risk from this PC threat. Although the Critoni Ransomware frequently uses exploits included in webpage-hosted threats like the Angler Exploit Kit, malware experts can confirm that the Critoni Ransomware also uses other methods to install itself, such as spam and disguised social networking links.

Distribution methods aside, the Critoni Ransomware's primary functions are the same as other file-encrypting Trojans: the Critoni Ransomware uses encryption attacks to make arbitrarily-selected files unreadable. Various methods are used (including .TXT files left in appropriate directories) for demanding a Bitcoin-based ransom fee to reverse these attacks. The Critoni Ransomware claims to use an elliptic curve-based encryption method that can't be reversed by third-party tools, and while malware experts have yet to confirm this, they do note that remote backups are the most uncomplicated methods to defend your information from encryption attacks.

From a programming standpoint, the Critoni Ransomware is well-designed both for requiring the use of the Tor Browser (an anonymity-enabling Web browser) to process payments, and for using that same program to communicate with its C&C servers. The latter is a feature that malware researchers more often find in banking Trojans, and indicates a level of long-term commitment to anonymity and personal safety on the part of the Critoni Ransomware's developers.

Bailing Yourself out of a Ransom with not a Bitcoin Lost

As usual, the Critoni Ransomware's ransom messages include countdown timers that warn you to pay your ransom before retrieving your files becomes impossible. Nonetheless, malware experts find no negative consequences to ignoring this timer and, hopefully, removing the Critoni Ransomware from your computer through proper anti-malware solutions. There is not yet a third-party decryption tool available for reversing the Critoni Ransomware's attacks, but standard file backup strategies should be sufficient for restoring any lost data. Using browser settings that maximize safety, such as disabling automatic website scripts, also may provide a degree of protection from the Critoni Ransomware's known distribution techniques.

The Critoni Ransomware also was verified to be able to modify files on PCs lacking Internet connections, although malware experts have yet to find any worm-based distribution methods that would allow the Critoni Ransomware to compromise such systems without the assistance of additional threats. The full range of OSes vulnerable to the Critoni Ransomware is under investigation.

As infection rates of CTB-Locker increase, it has been noted that the infection is relentless when it comes to destroying files through encryption. The only way for computer users to restore their files is to utilize either a backup copy of their hard drive or restore the files from a previous restore point saved on their system or external hard drive.

Critoni Ransomware  Screenshot 2Critoni Ransomware  Screenshot 3

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%MyDocuments%\AllFilesAreLocked [USER ID].bmp File name: %MyDocuments%\AllFilesAreLocked [USER ID].bmp
Mime Type: unknown/bmp
Group: Malware file
%MyDocuments%\DecryptAllFiles [USER ID].txt File name: %MyDocuments%\DecryptAllFiles [USER ID].txt
Mime Type: unknown/txt
Group: Malware file
%MyDocuments%\[RANDOM].html File name: %MyDocuments%\[RANDOM].html
Mime Type: unknown/html
Group: Malware file
%Temp%\[RANDOM].exe File name: %Temp%\[RANDOM].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%WinDir%\Tasks\[RANDOM].job File name: %WinDir%\Tasks\[RANDOM].job
Mime Type: unknown/job
Group: Malware file
C:\Documents and Settings\<username>\Application Data\[RANDOM].exe File name: C:\Documents and Settings\<username>\Application Data\[RANDOM].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
C:\Documents and Settings\<username>\Local Application Data\[RANDOM].exe File name: C:\Documents and Settings\<username>\Local Application Data\[RANDOM].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
C:\Users\<username>\AppData\Local\[RANDOM].exe File name: C:\Users\<username>\AppData\Local\[RANDOM].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
C:\[RANDOM]\[RANDOM].exe File name: C:\[RANDOM]\[RANDOM].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_CURRENT_USER\Control Panel\Desktop "Wallpaper" = "%MyDocuments%\AllFilesAreLocked [USER ID].bmp"

6 Comments

  • mailru_y2k says:

    Hello everybody!
    My files also became encrypted due to CTB-Locker. I'm ready to pay some money for my stupidity, but 3 BTC is too much for me just because I'm from Ukraine, we have ongoing war now, economics is falling, etc.
    I can pay 100 USD to anyone who can decrypt my files

  • MarkusMerk says:

    Hi, has nyone a tool to decrypt the files?
    Thanks!

  • Moxium says:

    Unfortunally, each decryption key are unique for each computer infected ...
    Trying a system restore may help you getting your files .

  • athame says:

    hi, just found out i have the same above mentioned trojan, is there any way i can get my files back, any progress?i've lost all my pictures, of my decesed parents,friends, important documents, everything!!whoever did this are real bXXXXXs!!

  • Mike says:

    I had this 'Locker' appear when using a Library computer with HD attached via USB for storage. Files on the HD were corrupted, (though ...of course... I had Back-ups of everything), but I did notice Wordpad/Notepad files OPEN at the time of infection were NOT corrupted !?! .... also, while images on the Library PC WERE unviewable at the TINE, several days later the pics ARE working fine again. I did ASK if anything had been done TO the P.C. by Library Staff, (they said NO), though every evening the computers are all Switched Off then back ON again the next day ... Ultimate answer, of course, with External/BU HD's so cheap these days, does seem to be to BACK-UP EVERYTHING important, (at least ONCE) 🙂

  • joe lacour says:

    will this program really work to get ctb-locker off with out loosing any files? guarantee to work or money back! please reply

Loading...