Connect with us

Hi, what are you looking for?


Malware & Threats

CTB-Locker Ransomware Impersonator Uses WinRAR for Encryption

The ransomware landscape has been populated with a very long list of new threats since the beginning of the year, but also with c

The ransomware landscape has been populated with a very long list of new threats since the beginning of the year, but also with copycats and, more recently, impersonators.

While it might sound strange that a piece of ransomware is attempting to impersonate another, the recently spotted CTB-Faker, which claims to be the already known CTB-Locker, is proof that this is indeed possible. The newcomer is nothing like the already established threat, but still attempts to extort money from victims.

Although the ransom note dropped by CTB-Faker claims that users’ files were encrypted by CTB-Locker, the claim is far from true. Instead of injecting into explorer.exe to be launched at system startup and to encrypt files by abusing this injection, as CTB-Locker would, CTB-Faker makes use of various scripts and leverages WinRAR to perform the encryption process.

According to Check Point researchers, the new ransomware family abuses WinRAR for encryption because the implementation is easy to achieve and because the program includes a password protect mode that helps the malware achieve its purpose. Moreover, the legitimate application includes an option to delete the original files after they were compressed and encrypted.

Once the ransomware has compromised a system, it requires user interaction to be launched, and spawns another copy of itself after the user runs it, asking for administrator rights. Running with admin rights, the malware launches four copies of wscript.exe, with different vbs scripts created by CTB-Faker. However, the first of these processes is the one responsible for encrypting files.

A close analysis of the malware shows that it sets the compressed file format to .zip, deletes all files after compression and encryption, and sets WinRAR to run in the background. The ransomware also includes arguments for setting the compression level, for setting the destination of the encrypted files, and for turning off the computer after the requested files are stored.

What researchers also discovered was a major flaw in the malware: a p4w1q3x5y8z argument is used to set the password for the newly created archives to p4w1q3x5y8z. Basically, this allows for immediate and free file decryption, yet the malware would still display a note to demand a $50 ransom and to claim that users’ files were encrypted by CTB-Locker using SHA-512 and RSA-4096.

According to researchers, the ransomware shows no network activity, meaning that no keys are exchanged with an external server and that the aforementioned p4w1q3x5y8z key is the only one used for encryption.

Advertisement. Scroll to continue reading.

According to BleepingComputer, the ransomware uses two Bitcoin addresses in the ransom notes, but only one of them has shown activity at the time of their analysis. The cybercriminals behind this piece of malware use two email addresses to deliver the decryption passwords to their victims, namely help(at) and miley(at)

Related: Ransomware Uses Blockchains to Transmit Decryption Keys 

Related: “Vaccine” Available for CTB-Locker, Locky, TeslaCrypt

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.