Ransomware Strains: What MSPs Need to Know About CTB-Locker

While there is, unfortunately, no foolproof way to protect against ransomware, there are steps managed service providers (MSPs) can take to educate their staff and their clients about the various ransomware strains that could drastically impact business operations. Many of these events can be avoided with preventative measures like third-party automatic backup solutions and having a strategic recovery plan in place.

The importance of these measures has become increasingly more necessary as organizations around the world face rising cybersecurity threats.

First things first, you have to know what you’re up against and be able to recognize the signs and symptoms of a breach. It’s likely your clients’ employees have never even heard of these ransomware strains so the best thing you can do is help them understand the basics.

What is CTB-Locker?

CTB-Locker ransomware is part of the crypto-ransomware family. This type of virus infiltrates operating systems via infected email messages and fake downloads (e.g., rogue video players or fake Flash updates). After successful infiltration, this malicious program encrypts various files (*.doc, *.docx, *.xls, *.ppt, *.psd, *.pdf, *.eps, *.ai, *.cdr, *.jpg, etc.) stored on computers and demands a ransom payment of in Bitcoins to decrypt them (encrypted documents receive the .ctbl files extension).

Cybercriminals responsible for releasing CTB-Locker ensure that it executes on all Windows operating system versions (Windows XP, Windows Vista, Windows 7, and Windows 8). CTB-Locker ransomware creates AllFilesAreLocked.bmp DecryptAllFiles.txt and uses seven random letters as file names within each folder containing the encrypted files.

What can be done to avoid infection with CTB-Locker?

Be cautious when opening emails with attachments. Phishing is a commonly used tactic in cyberattacks and it’s important your clients and employees are aware of the technique and how to identify it. Cybercriminals try to trick users with catchy, fear-based email subjects like “FedEx delivery failure notification” to set off an infection. The user only has to click on the attachment for chaos to ensue.

How to identify an infection

A message like this appears on the screen when CTB-Locker has successfully infected.

The worst part about this strain is that files can’t be decrypted without paying the ransom, and even then, it’s not guaranteed. It’s not advisable to pay the ransom because there is no guarantee the files will ever be decrypted. It also essentially supports cybercriminals in their efforts to lure victims and spread infection.

After seeing the message, which is almost always a clear signal infection has happened, users won’t be able to open files stored on their computer. Files will now have a different extension (i.e., my.docx.locked).

How to avoid CTB-Locker

Backup and data protection remain the most effective tactics to prevent downtime and the prospect of lost data. In the case of CTB-Locker, there’s nothing that can be done to decrypt infected files. The ability to access the ‘last best version’ of the data from an automatic backup is the best ‘medicine’ you can give in the event of an infection.

How to remove CTB-Locker

With CTB-Locker, removing the virus is relatively easy, but the encryption from the files is where the problem lies. Since it’s not feasible to decrypt files without paying the ransom, the best solution in this scenario is to recover data from a third-party backup solution.

 

Offering your clients a reliable and proven business continuity and disaster recovery solution along with cloud-to-cloud backup and restore for SaaS applications is critical to ensure continuity of business operations with ransomware on the rise.