Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

CTB-Locker Ransomware Impersonator Uses WinRAR for Encryption

The ransomware landscape has been populated with a very long list of new threats since the beginning of the year, but also with c

The ransomware landscape has been populated with a very long list of new threats since the beginning of the year, but also with copycats and, more recently, impersonators.

While it might sound strange that a piece of ransomware is attempting to impersonate another, the recently spotted CTB-Faker, which claims to be the already known CTB-Locker, is proof that this is indeed possible. The newcomer is nothing like the already established threat, but still attempts to extort money from victims.

Although the ransom note dropped by CTB-Faker claims that users’ files were encrypted by CTB-Locker, the claim is far from true. Instead of injecting into explorer.exe to be launched at system startup and to encrypt files by abusing this injection, as CTB-Locker would, CTB-Faker makes use of various scripts and leverages WinRAR to perform the encryption process.

According to Check Point researchers, the new ransomware family abuses WinRAR for encryption because the implementation is easy to achieve and because the program includes a password protect mode that helps the malware achieve its purpose. Moreover, the legitimate application includes an option to delete the original files after they were compressed and encrypted.

Once the ransomware has compromised a system, it requires user interaction to be launched, and spawns another copy of itself after the user runs it, asking for administrator rights. Running with admin rights, the malware launches four copies of wscript.exe, with different vbs scripts created by CTB-Faker. However, the first of these processes is the one responsible for encrypting files.

A close analysis of the malware shows that it sets the compressed file format to .zip, deletes all files after compression and encryption, and sets WinRAR to run in the background. The ransomware also includes arguments for setting the compression level, for setting the destination of the encrypted files, and for turning off the computer after the requested files are stored.

What researchers also discovered was a major flaw in the malware: a p4w1q3x5y8z argument is used to set the password for the newly created archives to p4w1q3x5y8z. Basically, this allows for immediate and free file decryption, yet the malware would still display a note to demand a $50 ransom and to claim that users’ files were encrypted by CTB-Locker using SHA-512 and RSA-4096.

According to researchers, the ransomware shows no network activity, meaning that no keys are exchanged with an external server and that the aforementioned p4w1q3x5y8z key is the only one used for encryption.

According to BleepingComputer, the ransomware uses two Bitcoin addresses in the ransom notes, but only one of them has shown activity at the time of their analysis. The cybercriminals behind this piece of malware use two email addresses to deliver the decryption passwords to their victims, namely help(at) and miley(at)

Related: Ransomware Uses Blockchains to Transmit Decryption Keys 

Related: “Vaccine” Available for CTB-Locker, Locky, TeslaCrypt

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...