Types header

Name Ctb/Onion /Critroni
Type Crypto Ransomware
Encryption Type RSA 2048 Encryption
Short Description This affects all the version of windows. Some specific files cannot be opened. This creates a allfilesarelocked.bmp, decryptallfiles.txt.

ICTB-Locker ransomware creates AllFilesAreLocked.bmp DecryptAllFiles.txt and [seven random letters].html files within each folder containing the encrypted files.

Distribution Method

This infiltrates the system through fake downloads, spam email messages.

Image  Ctb Onion Critroni
More Details

Once the ransomware infiltrates the victim’s computer the infection files will be stored in the %temp% folder on some random name as an executable file. This is done in order to launch the ransomware on its own whenever the system is restarted.

Once the system is rebooted it will just copy itself to a different name in the folder and creates a new job to launch it, this ransomware will be effective if the device is connected to internet if the device is not connected with the internet then the ransomware will remain hostile. This is because that it uses the command and control server which will be hidden in the tor network, this is done in TOR to remain anonymous. This ransomware is mostly seen in USA, Italy, Netherland and Germany.

Once the ransomware gets executed then the ransomware scans the complete system and targets for specific files in the victim’s computer and then it encrypts them using XOR operation. The encrypted files are followed with an .ctbl extension. Then it generates an unique user ID for the infected, the user ID will be embedded in variety of file name that are listed below. Then this creates an file known as AllFilesAreLocker followed with the User id.txt in the document folder that contains the ransom instruction.

For the process of decrypting a file a decryptallfiles followed with user ID.txt is given. In this the details are embedded to decrypt the files. The ransom note contains a personal key that the victim is supposed to enter in the site that pop-ups once the link is clicked, this can be opened only via Tor since the tor provides anonymous activities for the attacker. The ransom is supposed to be paid through only bit coins and the time for paying the ransom is 72 hours, if the victim is not paid within the specific time then the ransom value is doubled.