Deprecated: Function create_function() is deprecated in /home/hidefide/public_html/blog/wp-content/plugins/wr-pagebuilder/core/core.php on line 127
{"id":1491,"date":"2015-01-25T18:23:19","date_gmt":"2015-01-25T18:23:19","guid":{"rendered":"http:\/\/hidefideas.com\/blog\/?p=1491"},"modified":"2019-04-17T10:18:13","modified_gmt":"2019-04-17T10:18:13","slug":"warning-cbt-locker-ransomware-campaign-on-the-move-2","status":"publish","type":"post","link":"https:\/\/hidefideas.com\/blog\/2015\/01\/25\/warning-cbt-locker-ransomware-campaign-on-the-move-2\/","title":{"rendered":"Warning: CBT-Locker Ransomware Campaign on the Move"},"content":{"rendered":"

$\"CBTLocker-jan_diag\"$ Just in case you thought that winter had set in, a new year had begun, and everything was right with the world once again, we have some rough news for you. 2015\u2019s not going to be sunshine and lollipops, and the criminals are at it already, disturbingly so. This week, the cybersphere is reporting that a variant of Curve-Tor-Bitcoin (CBT) is being distributed as a spam campaign; and before you shrug it off as yet another sensational attempt by cybercrooks to compromise your well-oiled security methods, remember that your users aren\u2019t nearly as savvy or in touch with current affairs as you are.<\/p>\n

CBT-Locker, also known as Critroni, is ransomware, and while there are many and varied threats out there, none are quite as irritating as ransomware. If you\u2019re anything like us, the mere thought of having your data sitting there in front of you and yet so far away is a kind of torture that makes us want to petition the Geneva Conventions. Once installed on your system, the ransomware makes your data inaccessible until you pay up, and even then, there\u2019s no guarantee that the \u2018kidnapper\u2019 will do the right thing, a toss-up considering the scumlike low moral character that put your data at risk in the first place.<\/p>\n

But we digress. CBT-Locker uses Tor, an anonymity network that channels user traffic through a network of more than five thousand hosts. It conceals the user\u2019s location and usage history, making it virtually impossible to track anyone using the network. This one hurts a bit, too, because Tor is intended<\/a> (by Tor\u2019s own admission) to defend against \u201cpersonal freedom and privacy.\u201d<\/p>\n

CBT-Locker was first discovered in the middle of 2014, and while the transmission is invisible thanks to Tor, the payload itself encrypts data on the target computer using elliptic curve cryptography, which its creator \u201cclaims is significantly faster than encryption schemes used by other ransomware threats,\u201d according to PC World<\/a>. The software is more powerful than Cryptolocker, which the US Department of Justice shut down in May, 2014. Its creator has been peddling the ransomware to other criminals, the magazine points out, \u201con Russian-language forums since the middle of June and it seems that he\u2019s been trying to fix most of Cryptolocker\u2019s faults.\u201d<\/p>\n

Once the software\u2019s been installed on the target computer, the criminal contacts the infected party with the sales pitch. \u201cLike Cryptolocker, Critroni generates a public and private key pair for every infected system. The public key is stored on the infected computer and given to the victim, who is then asked to pay a ransom in Bitcoin in order to recover the files.\u201d The private key is kept safe and sound on a C&C server that can only be accessed through the Tor network, again ensuring that the criminal can avoid being traced by law enforcement.<\/p>\n

If you followed the Cryptolocker story, you know that knocking the C&C infrastructure offline rendered Cryptolocker inert. Unfortunately, CBT-Locker isn\u2019t nearly as easy to kill:<\/p>\n

\u201cTo prevent a similar takedown Critroni was designed to complete the file encryption operation locally before connecting to the command-and-control server. This also makes it hard for network security products to detect it early and block it by analyzing traffic.<\/p>\n

Blocking Tor traffic only prevents the user from paying, not the program from functioning, the Critroni author said in his advertisement.\u201d<\/p>\n

While the initial version of CBT-Locker targeted Russian users, variants have spread as criminals continue to purchase and modify the creator\u2019s product. Enter this most recent variant, which graciously offers the victim additional time to pay the ransom, according to SC Magazine<\/a>. Unfortunately, that\u2019s about the only good news. What makes this one particularly difficult to swallow is the price. While the variants seen in mid-2014 charged a reasonable .02 Bitcoins for the encryption key, this new variant is looking for 3 Bitcoins, which at the time of writing equals US $738. That\u2019s not an easy pill for anyone to swallow, especially when you know you\u2019re paying for your own data.<\/p>\n

The variant gives victims 96 hours to pay up. This is a slight variation from the 72 hours users were given when CBT-Locker was discovered in July. So what happens if you don\u2019t pay in the ascribed time? Sure you want to know? If you don\u2019t pay up, then your files become permanently encrypted, says SC Magazine.<\/p>\n

The main thing to remember is that this sucker is being distributed via email. Spam campaigns, some distributed through Cutwail, are making their rounds, and all it takes is one misinformed click. Still trust all your users now?<\/p>\n

Warn your people, folks. If this is any indication of how 2015 is going to turn out, perhaps we should put our collective minds together and build a time machine.<\/p>\n","protected":false},"excerpt":{"rendered":"