CTB-Faker
Posted: July 12, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 33 |
| First Seen: | July 12, 2016 |
|---|---|
| OS(es) Affected: | Windows |
CTB-Faker is a Trojan that imitates the attacks of a file encryption program while, in reality, it uses simpler techniques than encryption for holding your data hostage. Like a real file encryptor Trojan, CTB-Faker's attacks are meant to force you to pay money for retrieving the contents of your PC, although other data restoration options always are the recommendation of malware experts. Although you may wish to reserve some quarantined samples for researchers in the PC security industry, you always should let your anti-malware products remove CTB-Faker and take any steps needed afterward for regaining the relocated content.
A Real Problem Hiding Under Fake Pretenses
The rise of threatening file encryption as a for-profit industry has resulted in various imitators in its wake, such as threats like the CryptoFinancial Ransomware that claim to be making a sophisticated encryption-based attack when it is, in fact, doing nothing more than deleting your files. With the recent CTB-Faker campaign, using ransom messages scavenged from other Trojans like the Critoni Ransomware (AKA CTB-Locker), PC operators now may face a new kind of quasi-encryption tactic. Rather than encrypting each file individually, CTB-Faker merely compresses them all into a hidden, password-protected ZIP archive.
CTB-Faker's infection vectors don't use the usual strategies focusing on either spam e-mail or website-based exploit kits. Instead of either of those options, CTB-Faker's Trojan dropper conceals itself as a fake erotica video on the profile pages of compromised adult websites. This file is hosted on a cloud server and includes a disguised executable that, when run, installs CTB-Faker's main SFX file, which drops various components, including batch files, executables, and Visual Basic Script-based content.
Malware experts can confirm current versions of CTB-Faker only attacking content based in the Users folder of Windows. Assuming that the owner uses default save paths, CTB-Faker could target documents, gaming saved data, desktop-stored information, and any movie or music-related media, among other possibilities. Although CTB-Faker only targets twenty-one data formats, it moves all whitelisted data to a custom ZIP file, instead of encrypting them on an individual basis. This process is relatively time and resource intensive, and could give the victim a chance to identify the attack before CTB-Faker completes its task.
Despite that drastic shift in attack methodology, CTB-Faker's ransom note is identical to those of previous, more traditional file encrypting Trojans, like the Critoni Ransomware.
A Genuine Response to a Trojan that's Less Threatening Than It Wants to Be
CTB-Faker appears to be a project of threat authors with less experience than most of their counterparts. CTB-Faker uses a much simpler than standard payload, a barely disguised installation exploit, and components that it borrows from other Trojan campaigns. Despite all of its limitations, CTB-Faker still is a potential threat to any PC user who lacks the foresight to back their data up.
PC users who, as malware experts recommend, back their data up routinely should be able to restore their files after uninstalling CTB-Faker through safe methods. If there are no spare copies of the ZIP-compressed content available, you may wish to save a sample of the original Trojan dropper for CTB-Faker, which can provide technical information to security researchers assisting you with data retrieval. Otherwise, let your anti-malware products remove CTB-Faker and all other threats they detect.
CTB-Faker doesn't truly remove or delete your files, nor does it encrypt them one by one. Instead, CTB-Faker only hides them in a password-protected location. Although paying the CTB-Faker's ransom could lead to a possible recovery process, giving con artists money in return for help that's equally easily accomplished by third party security institutions is, ultimately, needlessly self-destructive to both your finances and the state of the software industry.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.