The ransomware landscape has been populated with a very long list of new threats since the beginning of the year, but also with copycats and, more recently, impersonators.
While it might sound strange that a piece of ransomware is attempting to impersonate another, the recently spotted CTB-Faker, which claims to be the already known CTB-Locker, is proof that this is indeed possible. The newcomer is nothing like the already established threat, but still attempts to extort money from victims.
Although the ransom note dropped by CTB-Faker claims that users’ files were encrypted by CTB-Locker, the claim is far from true. Instead of injecting into explorer.exe to be launched at system startup and to encrypt files by abusing this injection, as CTB-Locker would, CTB-Faker makes use of various scripts and leverages WinRAR to perform the encryption process.
According to Check Point researchers, the new ransomware family abuses WinRAR for encryption because the implementation is easy to achieve and because the program includes a password protect mode that helps the malware achieve its purpose. Moreover, the legitimate application includes an option to delete the original files after they were compressed and encrypted.
Once the ransomware has compromised a system, it requires user interaction to be launched, and spawns another copy of itself after the user runs it, asking for administrator rights. Running with admin rights, the malware launches four copies of wscript.exe, with different vbs scripts created by CTB-Faker. However, the first of these processes is the one responsible for encrypting files.
A close analysis of the malware shows that it sets the compressed file format to .zip, deletes all files after compression and encryption, and sets WinRAR to run in the background. The ransomware also includes arguments for setting the compression level, for setting the destination of the encrypted files, and for turning off the computer after the requested files are stored.
What researchers also discovered was a major flaw in the malware: a p4w1q3x5y8z argument is used to set the password for the newly created archives to p4w1q3x5y8z. Basically, this allows for immediate and free file decryption, yet the malware would still display a note to demand a $50 ransom and to claim that users’ files were encrypted by CTB-Locker using SHA-512 and RSA-4096.
According to researchers, the ransomware shows no network activity, meaning that no keys are exchanged with an external server and that the aforementioned p4w1q3x5y8z key is the only one used for encryption.
According to BleepingComputer, the ransomware uses two Bitcoin addresses in the ransom notes, but only one of them has shown activity at the time of their analysis. The cybercriminals behind this piece of malware use two email addresses to deliver the decryption passwords to their victims, namely help(at)openmailbox.org and miley(at)openmailbox.org.