Security Awareness Training Blog

    CTB-Locker Ransomware Uses Blockchain to Store & Deliver Decryption Keys

    CTB-Locker Ransomware ScreenshotA mysterious update in the behavior of the CTB-Locker ransomware strain alerted security researchers to pull some strings and see what was going on.

    The CTB-Locker ransomware family, which is mainly known for infecting and locking individual machines, recently switched to targeting websites via a PHP version, first observed last February.

    The change that caught the eye of Sucuri experts is an update to its "Free decrypt" page where users could unlock one free file per infection. It didn't take long for researchers to observe that the ransomware was using blockchain to deliver decryption keys for their victims using a special field in the Bitcoin transaction operation called OP_RETURN.

    The Sucuri guys said: "So, instead of using unreliable gates on third-party hacked sites, the March version of the CTB-Locker reads the keys directly from public and much more reliable blockchain information services. That’s the beauty of Bitcoin transactions – everything is public and transparent, and at the same time it’s possible to keep things anonymous and not traceable to real IPs." 

    How it works: For each infected website, the cyber criminals were automatically creating a Bitcoin address, which they would monitor. If 0.0001 Bitcoin -- the minimum transaction fee-- was sent they would know it was for a free decrypt operation.

    From another account, they would then initiate a fake transaction to the infected website's unique Bitcoin address. While this transaction never went through, it would be enough to get recorded in the blockchain as a failed operation, along with its OP_RETURN metadata.

    Crooks would then use the Blockexplorer.com API to look at the OP_RETURN field which would hold the decryption key for the file submitted via the free decrypt operation. If the infected user paid the entire ransom, this same field would hold the entire master decryption key for all files. 

    The authors made the switch bcause payment gates were previosly hosted on infected websites and didn't make for a reliable method of payment tracking. 

    Looks like the criminals weren't very successful, in tracking the Bitcoin wallets no victims paid the full ransom and likely restored their websites via backups. More at the SucuriNet blog.

     

    What To Do About Ransomware

    Get the most informative and complete hostage rescue manual on Ransomware. This 20-page manual (PDF) is packed with actionable info that you need to prevent infections, and what to do when you are hit with malware like this. You also get a Ransomware Attack Response Checklist and Prevention Checklist.

    Download Here

    Hat Tip to SoftPedia

     

     

    Return To KnowBe4 Security Blog

    Topics: Ransomware

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe To Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews