Know Your Ransomware: CTB-Locker


Emerging in mid-2014, Curve-Tor-Bitcoin (CTB) Locker, also known as Critoni, was one of the first ransomware to use Tor to hide its C2 infrastructure, and subsequently evade detection and blocking.

‘’Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server’’ says Fedor Sinitsyn, a senior malware analyst at Kaspersky Lab.

While active during 2015, the activity of CTB-Locker decreased considerably in 2016. However, during the second half of last year CTB-Locker reinvented itself by creating a new variant that has been seen targeting web-servers, and uniquely using the Bitcoin blockchain to deliver decryption keys to victims.

CTB-Locker is reported to represent the top malware threat for the financial services industry, therefore necessitating a brief assessment. This blog will concentrate on the core variant as opposed to the new web variant.

Ransomware Timeline

What’s in a name?

The name of the ransomware comes from its main advantages (Curve-Tor-Bitcoin), in addition to it being multilingual: German; Dutch; Italian; French; Spanish, Latvian; and English.

  • Curve: comes from its persistent use of Elliptic Curve Cryptography (ECC), a form of public key cryptography;
  • Tor: comes from the malicious C2 server placed in the Onion domain, which is extremely hard to detect and subsequently take down;
  • Bitcoin: refers to the cryptocurrency that the ransom is paid in.

Infection Vectors

The authors of CTB-Locker are believed to be using an affiliate program to drive infections by outsourcing the infection process to a network of affiliates in exchange for a cut of the profits. In the past, this model has been successfully used to generate large revenues for a wide range of malware services.

CTB-Locker has been observed being distributed through several exploit kits, including Rig and Nuclear. However, it is through aggressive malicious spam campaigns that the ransomware has been delivered the most. The most widely seen spam campaigns that distribute CTB-Locker use a downloader component known as Dalexis or Elenocka. The spam messages follow a variety of formats, including missed fax messages, financial statements, overdue invoices, and account suspensions.

In terms of the geography of infections, CTB-Locker is mostly seen affecting Western Europe, North America, and Australia, though its geographic spread is wide and will continue to grow.

How does it work?

As mentioned above, CTB-Locker is being distributed via spear-phishing emails weaponised with a ZIP file. When the ZIP file is accessed, a downloader is placed on the system. The downloader uses a list to connect to a number of malicious domains controlled by the attackers, from where it can download the ransomware.


When the ransomware executes, it downloads a copy of itself to the temporary directory and creates a scheduled task to enable reboot persistence:

The file is then iterated and all the files that match the extension list of CTB-Locker will be encrypted:

The desktop background image is changed, and CTB Locker overlays the ransom message and a clickable interface:

When the victim clicks through the ransom interface, they are given detailed instructions on how to proceed with the payments options:

CTB-Locker requires the ransomware to be paid in Bitcoin. The exact amount is set by the affiliate who has purchased CTB-Locker, although it is believed that the authors give general guidance on the ransom amount.


CTB-Locker uses a combination of symmetric and asymmetric encryption to scramble files. The encryption itself is carried out using AES, and the means to decrypt the files are encrypted with the ECC public key. This ensures that only the CTB-Locker authors, who have the corresponding private key, can decrypt the files.

Network Communication

CTB-Locker can start encrypting files without requiring internet connection. When the victims attempt to decrypt the files, all communications are carried out via Tor, usually through proxy websites. When the victims have paid the ransom, CTB-Locker will contact the C2 server, sending a block of data that contains the information needed to derive the key that will decrypt the victim’s files. This block of data can only be decrypted with the master key stored on the server.

So what?

CTB-Locker displays a number of advantages compared to other ransomware variants targeting the financial services sector (especially in the UK), such as File Cryptor, File Locker, Cryptowall, TeslaCrypt, and Trojan Ransom:

  • The ransomware does not require an active internet connection before it starts encrypting files, which makes it harder to detect.
  • The ECC encryption that the ransomware uses is believed to achieve stronger security levels with smaller key sizes, which might be of advantage to the author’s decision-making process. The ransomware uses a combination of symmetric and asymmetric encryption. This ensures that only the CTB-Locker authors can decrypt the files, which maximises the success rate of the ransomware against its targets.
  • The ransomware is continually looking for new attack vectors. The latest web variant using the Bitcoin blockchain platform to deliver decryption keys is a good example of that. However, an upgrade does not always guarantee the success of the original variant.
  • The fact that CTB-Locker is being offered as a service in underground forums expands the trajectory of threats to financial institutions considerably as far as threat actors are concerned – it provides room for both professional and amateur cyber criminals to target the industry.
  • Finally, recent variants have been observed to be offering the victims the chance the decrypt random files for free to gain their confidence, which is highly likely to increase the overall likelihood of the targets paying the full ransom.

Mitigation Strategies

Like it or not, ransomware is big business. The problem is only going to get bigger with the availability of ‘’ransomware-as-a-service’’ as well as the introduction of the Internet of Things (IoT) into our daily lives, both private and working.

When it comes to mitigation there is no single magic formula that is going to make the threat disappear. The following simple guidelines, however, are a good starting point:

  • Do not click on suspicious looking emails, and more importantly do not click on untrusted email links or download unsolicited email attachments.
  • Create backups. Storing your backups separately is also key.
  • Disable ActiveX content in Microsoft Office applications.
  • Keep your system and applications up to date.
  • Disable remote desktop connections.
  • Block binaries running from %APPDATA% and %TEMP% paths.


Find out more about our cyber intelligence services:

Subscribe to receive free updates

If you'd like to be kept updated on our blog, why not subscribe?

We will never give away, trade or sell your email address. You can unsubscribe at any time.