Encryption is widely used by dark web actors these days. Cybercriminals develop and distribute software called ransomware. The ransomware utilizes encryption to render data unreadable. It hides relevant decryption key and force users to pay the ransom. Unless the ransom is paid, the infection destroys the decryption key.
CTB Locker is among the latest releases of such ransomware. The greatest issue with crypto malware as compared to common viruses is the impact of infection removal. If you remove CTB Locker ransomware, the does not recover any affected data. Moreover, the removal of CTB Locker implies you are no longer able to purchase the decryption key. Needless to say, purchasing the key should apply as the last resort measure, if ever. In some cases, victims just have no choice as stakes are too high.
If you remove a common infection, it can no longer harm your PC. At least, that applies to redirect viruses, keyloggers, and counterfeits of all kinds. The extermination in those cases is critical, for the longer the infection resides on your PC, the greater harm it is to cause.
With the ransomware like CTB Locker, the damage is done immediately after landing. In rare cases, the firewall may intercept the outgoing decryption key. In such cases, it is not quite clear how and why the firewall could fail to prevent the invasion.
CTB Locker is available at underground forums and communities. Its developers most likely do not spread their virus with their own hands. Instead, they have made it available to a number of affiliates. The affiliates return to their boss a share, typically about 25%, of each ransom payment settled by the victims.
The distributors inject copies of the ransomware using a variety of methods. Spamming prevails. Other techniques exploit corporate network and individual machine vulnerabilities. Even drive-by downloads have been reported.
Once CTB Locker crypto virus lands into a target computer, it installs its components. The installation runs on the background. Security solutions, if not advanced, neither detect nor terminate the installation. Once installed, the virus scans all the drives available from the affected machine. Its scan covers native drives of the affected machine, as well as local network, Google drives, if applicable.
The infection targets any data available from the affected machine. Several cases featured the infection landing into the corporate network. The network data was secured with regular backups. However, the backups were stored at one of the machines within the network. Any restriction rules did not apply. The virus thus has been able to encrypt the data from the backup.
The data detected by ransomware undergo a complex transformation. A decryption key is issued and dispatched safely to the remote server. The key is required to decrypt the affected data. The ransomware creates its ransom note. The note sets the amount and deadline and method for transferring the ransom. The ransom is payable in bitcoins.
To sum it up, it is good to make timely backups of your data. The reserve copies should be stored outside of any network. It is also good to prevent unverified data downloads. Even emails from your approved contacts should be security-checked.
Paying the ransom is what the scammers expect us to do. If you have been unfortunate to get the ransomware on your PC, please try to recover your data. The decryption is not possible without with the key. However, system and third party recovery solutions are likely to restore the affected data to the extent that will satisfy you. Once you have completed your data recovery, do not forget to get rid of CTB Locker.