CTB-Faker Ransomware does a poor job imitating CTB-Locker

Share this…

A new ransomware called CTB-Faker was discovered that pretends to be the CTB-Locker ransomware. It is a poor imitator, though, as instead of encrypting a victim’s files, it will move them instead into a password protected ZIP archive.  CTB-Faker will then demand a ransom of  ~.08 bitcoins, which equates to approximately $50 USD, in order to get the password for your files.

The good news is that there is a way to get your files back for free if you have a sample of the original installer.  If you are infected with this ransomware, contact me at the site or post in the CTB-Faker Help and Support topic and I will try to help.

CTB-Faker devs appear to be BleepingComputer Visitors

The main executable for the CTB-Faker Ransomware includes numerous image resources that are used as backgrounds for the ransom note. It looks like the dev is a visitor of BleepingComputer, because one of these images is a BleepingComputer watermarked image from an older ransomware called ZeroLocker. Below is the image found in the Help.exe executable.

ZeroLocker watermarked Image
ZeroLocker watermarked Image

CTB-Faker is distributed through fake Striptease Videos

CTB-Locker is currently distributed through fake profile pages on Adult sites that contain passwords and links to a supposed password-protected striptease video.

Distribution page for CTB-Faker
Distribution page for CTB-Faker

When a user clicks on the link in the profile, it will download the zip file, which is currently being hosted on JottaCloud. Once a user extracts the contents of the Zip files and runs the included executable, the ransomware will encrypt your files.

How CTB-Faker Encrypts your Files

CTB-Faker is actually a WinRAR SFX file that when executed extracts numerous batch files, VBS files, and executables into the C:\ProgramData folder. The main installer will then execute a VBS file that displays a fake error message pretending to be a graphic card error that is not allowing you to view the striptease video.

Fake Graphic Card Error Alert
Fake Graphic Card Error Alert

Behind the scenes, though, the ransomware is using the bundled WinRAR to create a password-protected ZIP archive located at C:\Users.zip. This zip file will contain files that were located under the C:\Users folder and that match the following file extensions:

.exe,  .msi,  .dll,  .jpg,  .jpeg,  .bmp,  .gif,  .png,  .psd,  .mp3,  .wav,  .mp4,  .avi,  .zip,  .rar,  .iso,  .7z,  .cab,  .dat,  .data 

When archiving the files, CTB-Faker will move, not copy, the files into the password-protected archive. This process is very slow and very CPU intensive, so victims will find that their hard drives are being constantly accessed and the CPU utilization will spike to higher than normal percentages.

When the archive has finished being created, the program will delete various VBS and Batch files located in C:\ProgramData and then reboot the computer. Once the computer has restarted and the victim logs in they will be presented with a ransom screen as shown below.

CTB-Faker Ransom Screen
CTB-Faker Ransom Screen

This ransom note will state that the files have been encrypted and that the victim must pay $50 USD in bitcoins to the bitcoin address 1NgrUc748vG5HerFoK3Tkkb1bHjS7T2w5J. Once a payment has been made they should email miley@openmailbox.org in order to get the password. There is currently no activity on this bitcoin address.

There is also an alternate image background that contains the bitcoin address 3MTTgd2BaPndUYkmGjiacaPLkuWsiPUzM3 and the email addresshelp@openmailbox.org as shown below. The 3MTTgd2BaPndUYkmGjiacaPLkuWsiPUzM3 address from this background has a lot of activity, with over 476 received bitcoins and a current balance of 11 bitcoins.

Alternate CTB-Faker Background
Alternate CTB-Faker Background

Finally, the ransom note will also contain a Decrypt button and an Internet button. The Internet button will open the default browser. The Decrypt button will start a Restore.exe program that asks you to enter the password for the password-protected zip file. Once the correct password is entered, the users.zip file will automatically be extracted to your hard drive and your files recovered.

Restore Password Prompt
Restore Password Prompt

Also created are ransom notes located at C:\ProgramData\index.html,C:\ProgramData\your personal files are encrypted.txt, and C:\your personal files are encrypted.txt, which contain the same information as the screens shown above.

If you are infected with this ransomware, please do not pay the ransom. Instead contact me at the site or ask for help in the CTB-Faker Help and Support topic.

Files associated with CTB-Faker

C:\ProgramData\7zxa.dll
C:\ProgramData\Default.SFX
C:\ProgramData\Descript.ion
C:\ProgramData\Rar.exe
C:\ProgramData\RarExt.dll
C:\ProgramData\RarExt64.dll
C:\ProgramData\RarFiles.lst
C:\ProgramData\UNACEV2.DLL
C:\ProgramData\UnRAR.exe
C:\ProgramData\Uninstall.lst
C:\ProgramData\WinCon.SFX
C:\ProgramData\WinRAR.exe
C:\ProgramData\Zip.SFX
C:\ProgramData\archiver.bat
C:\ProgramData\archiver.vbs
C:\ProgramData\copy.bat
C:\ProgramData\copy.vbs
C:\ProgramData\help.exe
C:\ProgramData\index.html
C:\ProgramData\rarnew.dat
C:\ProgramData\restore.exe
C:\ProgramData\startup.exe
C:\ProgramData\startup.vbs
C:\ProgramData\untitled.png
C:\ProgramData\untitled.vbs
C:\ProgramData\your personal files are encrypted.txt
C:\ProgramData\zipnew.dat
C:\your personal files are encrypted.txt

Registry entries associated with CTB-Faker

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\help.exe	C:\ProgramData\help.exe

IOC

Installer Hash: cf82f93bc06247062e16dc3fa233c5a5e0789cdecdccc672a58949f0c625833f

Source:https://www.bleepingcomputer.com/