CTB-Locker (Critoni) Ransomware

Posted: July 21, 2014
Threat Metric
Threat Level: 10/10
Infected PCs 44

CTB-Locker (Critoni) Ransomware Description

Critoni Ransomware Screenshot 1The Critoni Ransomware is a file encryption Trojan that rearranges the data of your PC's files to block access to documents, pictures and other digital content. The Critoni Ransomware's overall goal is to acquire revenue through ransoming the restoration of these files at a high price, although malware experts would recommend restoring your data from a backup, instead. Because the Critoni Ransomware is a 2014-era threat that still is in active distribution to its clientele, you should take all appropriate anti-malware security steps for blocking its varied installation methods and if called for, removing the Critoni Ransomware from your computer.

The Ransomware that Uses Tor Both Coming and Going

The Critoni Ransomware's developers have offered the Critoni Ransomware as a supposedly new version of Cryptolocker since June of 2014, with other persons allowed to rent its services at a cost of 3,000 USD. While the Critoni Ransomware attacks often focus on Russia, its use by diverse third parties has begun to seep over into its choice of victims, putting other nations at risk from this PC threat. Although the Critoni Ransomware frequently uses exploits included in webpage-hosted threats like the Angler Exploit Kit, malware experts can confirm that the Critoni Ransomware also uses other methods to install itself, such as spam and disguised social networking links.

Distribution methods aside, the Critoni Ransomware's primary functions are the same as other file-encrypting Trojans: the Critoni Ransomware uses encryption attacks to make arbitrarily-selected files unreadable. Various methods are used (including .TXT files left in appropriate directories) for demanding a Bitcoin-based ransom fee to reverse these attacks. The Critoni Ransomware claims to use an elliptic curve-based encryption method that can't be reversed by third-party tools, and while malware experts have yet to confirm this, they do note that remote backups are the most uncomplicated methods to defend your information from encryption attacks.

From a programming standpoint, the Critoni Ransomware is well-designed both for requiring the use of the Tor Browser (an anonymity-enabling Web browser) to process payments, and for using that same program to communicate with its C&C servers. The latter is a feature that malware researchers more often find in banking Trojans, and indicates a level of long-term commitment to anonymity and personal safety on the part of the Critoni Ransomware's developers.

Bailing Yourself out of a Ransom with not a Bitcoin Lost

As usual, the Critoni Ransomware's ransom messages include countdown timers that warn you to pay your ransom before retrieving your files becomes impossible. Nonetheless, malware experts find no negative consequences to ignoring this timer and, hopefully, removing the Critoni Ransomware from your computer through proper anti-malware solutions. There is not yet a third-party decryption tool available for reversing the Critoni Ransomware's attacks, but standard file backup strategies should be sufficient for restoring any lost data. Using browser settings that maximize safety, such as disabling automatic website scripts, also may provide a degree of protection from the Critoni Ransomware's known distribution techniques.

The Critoni Ransomware also was verified to be able to modify files on PCs lacking Internet connections, although malware experts have yet to find any worm-based distribution methods that would allow the Critoni Ransomware to compromise such systems without the assistance of additional threats. The full range of OSes vulnerable to the Critoni Ransomware is under investigation.

As infection rates of CTB-Locker increase, it has been noted that the infection is relentless when it comes to destroying files through encryption. The only way for computer users to restore their files is to utilize either a backup copy of their hard drive or restore the files from a previous restore point saved on their system or external hard drive.

Critoni Ransomware  Screenshot 2Critoni Ransomware  Screenshot 3

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to CTB-Locker (Critoni) Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_CURRENT_USER\Control Panel\Desktop "Wallpaper" = "%MyDocuments%\AllFilesAreLocked [USER ID].bmp"
Home Malware Programs Ransomware CTB-Locker (Critoni) Ransomware


Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.