Weaker Ransomware Knock Off

Tuesday, July 26, 2016 @ 03:07 PM gHale


Knock offs are just that, cheap imitations of the original well-built product.

In the ransomware world, there is one knock off going around with a similar name, but is just a pale imitation of the original.

RELATED STORIES
New Ransomware Decrypter Available
Decrypter Available for Ransomware
Copycat Ransomware Making Rounds
Ransomware Evolves with Upgrade

CTB-Faker tries is going out trying to come off as the more well-known ransomware, CTB-Locker. CTB-Faker tells victims it is using strong encryption when it actually does nothing more than to move all the victims’ data inside password-protected ZIP archives.

There is a decrypter available for this ransomware. What is at issue is the decrypting process is a tedious, confusing process and the victim usually ends up needing help. That is why Lawrence Abrams of Bleeping Computer volunteered to assist users with the decryption process for free.

According to technical analysis from Bleeping Computer and Check Point, CTB-Faker ends up distributed via adult websites promoting private striptease dance videos.

Users end up encouraged to download a ZIP file, which contains an executable. Running the executable starts the CTB-Faker ransomware, which will slowly move files to a password-protected file at “C:Users.zip.”

To move the files and then password-protect the archive, CTB-Faker uses the WinRAR application. Once the ransomware creates this file, it forces a computer restart and then shows the ransom note after the user logs in.

The ransom note is specifically designed to look like the same ransom note used by CTB-Locker ransomware. The reason for posing as another piece of ransomware is to discourage users from resisting making the ransom payment.

The strategy seems to be working, as Abrams reported discovering one Bitcoin address used for the CTB-Faker ransom note that received 577 Bitcoin ($381,000) in payments. It is not confirmed all the Bitcoin funds came from CTB-Faker payments.

CTB-Faker’s ransom note said the ransomware uses a combination of SHA-512 and RSA-4096 to lock files, but in reality, the encryption is AES-256, the standard encryption used to lock files inside a WinRAR archive.

The AES-256 encryption key (WinRAR password) is hard-coded inside the executable file found in the ZIP file users initially downloaded from the adult sites. If users still have that file around, they can contact Abrams for his help in extracting the ZIP file’s password.