Fake “Account Locked” notices are delivering CTB-Locker

“Active spam campaigns delivering fake notices about temporarily locked accounts have been spotted in the last few days delivering a deadly malware combination: the Dalexis downloader and the CTB-Locker (aka Critroni) ransomware.

According to both Brad Duncan, Security Researcher at Rackspace, and techhelplist.com, the fake emails come from either compromised or spoofed email addresses, with “Your account [random number] has been banned” in the Subject line.

“Dear user,” says the email, “We detect unauthorized Login Attempts to your ID #[random number] from other IP Address. Please re-confirm your identity. See attached docs for full information.”

The attached ZIP file contains a SCR file (Dalexis), which drops a CAB file, extracts an RTF document from it and opens it on the victim’s desktop. The document contains some random “Terms and Conditions of Use” text.

Meanwhile, in the background, Dalexis also downloads the CTB-Locker, and the infection becomes obvious several minutes latet, when the ransomware finishes encrypting the victim’s files and shows the ransom note.

This CTB-Locker variant does not seem to differ much from the initial one spotted by Kaspersky Lab researchers in July 2014: it encrypts a wide range of files (likely with the same encryption method) and its command server is located within the Tor anonymity network.

The only difference is that the ransomware peddlers are now asking for more money: 3 Bitcoin instead of 0.16, i.e. around $705 instead of $96.

Once again, users are advised to never open attachments they have received via unsolicited messages, and to regularly back up their important files.

Despite the fact that some companies have provided test decryption tools for files encrypted by some ransomware types (TeslaCrypt, CoinVault, TorLocker) the best protection against ransomware is to be careful and back up.”