The ransomware threat known as CTB-Locker (aka Critroni) is making fresh rounds, sneakily infiltrating people’s machines via emails purporting to come from Google. The mails warn that “your version of Google Chrome is potentially vulnerable and out of date,” but clicking the download link executes malware instead.
The trojan, first uncovered by researcher Kafeine last year, is very similar to CryptoLocker, in that it’s a trojan that will encrypt personal files and demand a hefty ransom (typically 2 Bitcoin, or about $500) to decrypt them back with a unique key. As we previously reported, it leapt out of the Dark Web with a for-hire monetization scheme.
Malwarebytes researcher Jerome Segura noted that the payload is not attached to the email but instead gets downloaded from various websites that appear to have been compromised. He notes that prevention is the best tactic in this case, and that users should examine links for authenticity before clicking on them.
According to Richard Blech, CEO of Secure Channels, the resurgence of Critroni demonstrates that the design and implementation of security solutions on devices need to evolve to where they don’t depend on the end user to protect their data to avoid a threat.
“There are existing solutions available—all involving the user learning and being aware of what to do in advance, still a bad plan,” he said via email. “The phone data from the outset should be impenetrably encrypted to prevent data from being compromised from the ransomware. Malware detection and prevention is an essential tool; unfortunately the exploit can enter the user's phone before the detection solution is available. Encrypting the data on the phone will prevent the ransomware from finding the data to exploit. This keeps the user protected even if they open an infected decoy file.”
David Swift, chief architect for threat intelligence and behavioral analytics experts Securonix, told Infosecurity that ransomware offers a follow-on threat, aside from the compromise of one computer.
“While it’s annoying to have a single machine’s data lost, it only hints at the actions malicious actors can take once they’re on our system, and only touches on one vector, email,” he said. “The number of client side attacks on browsers, anti-virus, Adobe, Java, and the common well-known client applications are endless and relentless, and once the host is compromised, the data can be harvested and used in any number of nefarious ways is even more alarming.”
For instance, attackers can harvest other cached credentials for use in the next attack, and originate on the inside of protected networks with legitimate credentials. Or, they can steal sensitive information that can increase the end user’s likelihood of clicking on the subsequent emails.
“This new attack should scream two lessons to those of us listening,” he added. “One, end user education is mandatory for all, and should be part of elementary school education today. Two, users will do risky things and accounts will be compromised; we must find new ways to monitor our accounts for signs of compromise and misuse to protect ourselves and our networks from users that fall victim to the countless variants that target them every day.”