New ransomware named CTB-Faker has been discovered that pretends to be CTB-Locker ransomware. The ransomware will use the same images and contain some of the same content; However, instead of encrypting files on a computer that it infects it will move the files into a password protected .zip archive located at C:\Users.zip. CTB-Faker ransomware will then demand a ransom payment of .08 bitcoins, which is around $50.00 USD, in order to obtain a password to retrieve the files.
CTB-Faker ransomware is primarily distributed through fake Adult web cam videos, including a video that claims to contain a striptease. If a malicious link on the fake Adult web cam profile is clicked it will cause a zip file to download, which is hosted by JottaCloud. When the .zip file is extracted and an executable is ran by the user, the ransomware will move all the files into a password protected .zip archive folder. The main installer will then execute a VBS file. This file will generate a fake graphic card error and won’t let victims view the striptease video. But, in the background, the fake CTB-Locker ransomware is creating a password-protected .zip archive located at C:\Users.zip. The password protected .zip archive that it creates will contain files that the ransomware claims to encrypt.
CTB-Faker ransomware will then use a lot of CPU resources to slowly move the files located in the C:\Users folder to the .zip archive that match the following file extensions:
.exe, .msi, .dll, .jpg, .jpeg, .bmp, .gif, .png, .psd, .mp3, .wav, .mp4, .avi, .zip, .rar, .iso, .7z, .cab, .dat, .data
Once the ransomware has built the .zip archive it will delete certain VBS and Batch files found in the C:\ProgramData folder and it will then reboot the computer. When Windows Desktop is restarted the user will be met with a ransom note on the desktop background or text file that demands the victim to pay roughly $50.00 USD via Bitcoins. The note claims that once the payment is made the victim must email them to get a password. The ransomware uses several email addersses, some with a history of Bitcoin activity and some with not. 2 email address that it may use are firstname.lastname@example.org and email@example.com.
The ransomware will leave ransom notes on the computer it infects located at C:\ProgramData\index.html, C:\ProgramData\your personal files are encrypted.txt, and C:\your personal files are encrypted.txt.
C:\ProgramData\7zxa.dll C:\ProgramData\Default.SFX C:\ProgramData\Descript.ion C:\ProgramData\Rar.exe C:\ProgramData\RarExt.dll C:\ProgramData\RarExt64.dll C:\ProgramData\RarFiles.lst C:\ProgramData\UNACEV2.DLL C:\ProgramData\UnRAR.exe C:\ProgramData\Uninstall.lst C:\ProgramData\WinCon.SFX C:\ProgramData\WinRAR.exe C:\ProgramData\Zip.SFX C:\ProgramData\archiver.bat C:\ProgramData\archiver.vbs C:\ProgramData\copy.bat C:\ProgramData\copy.vbs C:\ProgramData\help.exe C:\ProgramData\index.html C:\ProgramData\rarnew.dat C:\ProgramData\restore.exe C:\ProgramData\startup.exe C:\ProgramData\startup.vbs C:\ProgramData\untitled.png C:\ProgramData\untitled.vbs C:\ProgramData\your personal files are encrypted.txt C:\ProgramData\zipnew.dat C:\your personal files are encrypted.txt
CTB-Faker registry entries
It is not recommended to pay ransomware authors to decrypt your files. Instead you can use programs like Shadow Explorer or Recuva to restore encrypted or deleted files.
How to remove CTB-Faker ransomware
- Restore your encrypted files with Recuva
- Remove CTB-Faker with Malwarebytes
- Perform a second-opinion scan with HitmanPro
- Cleanup junk and repair your settings with CCleaner
Restore your encrypted files with Recuva
2. Run the program and start the Recuva Wizard.
3. Select All Files and click Next.
4. Select a file location. Click I’m not sure to search everywhere on your computer.
5. Click Start.
6. Select All Files with your mouse and click the Recover button.
If you cannot restore your files with Recuva we recommend to try using Shadow Explorer to restore your files.
Remove CTB-Faker with Malwarebytes
2. Open Malwarebytes and click the Scan Now button – or go to the Scan tab and click the Start Scan button.
3. Once the Malwarebytes scan is complete click the Remove Selected button.
4. To finish the Malwarebytes scan and remove detected threats click the Finish button and restart your computer if promoted to do so.
Perform a second-opinion scan with HitmanPro
2. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.
3. Once the HitmanPro scan is complete click the Next button.
4. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.
5. Click the Reboot button.
Cleanup junk and repair your settings with CCleaner
2. Open CCleaner and go to the main Cleaner screen. Click the Analyze button. When the process is complete, click the Run Cleaner button on the bottom right of the program interface.
3. Go to Tools > Startup and search for suspicious entries in each tab starting from Windows all the way to Content Menu. If you find anything suspicious click it and click the Delete button to remove it.
4. Go to the Registry window and click the Scan for Issues button. When the scan is complete click the Fix selected issues… button and click Fix All Selected Issues.
How to stay protected against future infections
The key to staying protected against future infections is to follow common online guidelines and take advantage of reputable Antivirus and Anti-Malware security software with real-time protection.
Real-time security software
Security software like Malwarebytes and Norton Security have real-time features that can block malicious files before they spread across your computer. These programs bundled together can establish a wall between your computer and cyber criminals.
Common Online Guidelines
- Backup your computer and personal files to an external drive or online backup service
- Create a restore point on your computer in case you need to restore your computer to a date before infection
- Avoid downloading and installing apps, browser extensions, and programs you are not familiar with
- Avoid downloading and installing apps, browser extensions, and programs from websites you are not familiar with – some websites use their own download manager to bundle additional programs with the initial download
- If you plan to download and install freeware, open source software, or shareware make sure to be alert when you install the object and read all the instructions presented by the download manager
- Avoid torrents and P2P clients
- Do not open email messages from senders you do not know