March 16, 2021

What is CTB-Locker Ransomware and How Does it Work?

By Courtney Heinbach
RansomwareThreat AnalysisDatto RMM

While there is, unfortunately, no foolproof way to protect against ransomware, there are steps managed service providers (MSPs) can take to educate their staff and their clients about the various ransomware strains that could drastically impact business operations. Many of these events can be avoided with preventative measures like third-party automatic backup solutions and having a strategic recovery plan in place.

The importance of these measures has become increasingly more necessary as organizations around the world face rising cybersecurity threats.

First things first, you have to know what you’re up against and be able to recognize the signs and symptoms of a breach. It’s likely your clients’ employees have never even heard of these ransomware strains so the best thing you can do is help them understand the basics.

What is CTB-Locker Ransomware?

CTB-Locker ransomware is part of the crypto-ransomware family. This type of virus infiltrates operating systems via infected email messages and fake downloads (e.g., rogue video players or fake Flash updates). After successful infiltration, this malicious program encrypts various files (*.doc, *.docx, *.xls, *.ppt, *.psd, *.pdf, *.eps, *.ai, *.cdr, *.jpg, etc.) stored on computers and demands a ransom payment of in Bitcoins to decrypt them (encrypted documents receive the .ctbl files extension).

Cybercriminals responsible for releasing CTB-Locker ensure that it executes on all Windows operating system versions (Windows XP, Windows Vista, Windows 7, and Windows 8). CTB-Locker ransomware creates AllFilesAreLocked.bmp DecryptAllFiles.txt and uses seven random letters as file names within each folder containing the encrypted files.

What can be done to avoid infection with CTB-Locker?

Be cautious when opening emails with attachments. Phishing is a commonly used tactic in cyberattacks and it’s important your clients and employees are aware of the technique and how to identify it. Cybercriminals try to trick users with catchy, fear-based email subjects like “FedEx delivery failure notification” to set off an infection. The user only has to click on the attachment for chaos to ensue.

Backup and data protection remain the most effective tactics to prevent downtime and the prospect of lost data. In the case of CTB-Locker, there’s nothing that can be done to decrypt infected files. The ability to access the ‘last best version’ of the data from an automatic backup is the best ‘medicine’ you can give in the event of an infection.

Suggested Next Reads