It was recently discovered that the newly-found CTB-Faker is trying hard to imitate the CTB-Locker ransomware. However, it appears that CTB-Faker is a very poor imitator, because instead of encrypting the victim’s files, it will move them into a password protected ZIP archive. After that, CTB-Faker will deamnd a ransom of ~.08 bitcoins, which equates to approximately $50 USD for releasing your files.
The good news here is that there is a way to get your files back for free if you have a sample of the original installer. The main executable for CTB-Faker Ransomware includes many image resources which are used as backgrounds for the ransom note.
Presently, CTB-Locker is distributed via fake profile pages on Adult sites which contain passwords and links to a supposed password-protected striptease video. Once a user clicks on the link in the profile, it will download the zip file, which is currently being hosted on JottaCloud. As soon as the user extracts the contents of the Zip files and runs the included executable, the ransomware will encrypt their files.
In fact, CTB-Faker is a WinRAR SFX file and being executed, it extracts numerous batch files, VBS files, and executables into the C:\ProgramData folder. After that, the main installer will execute a VBS file which displays a fake error message pretending to be a graphic card error that is not letting you watch the striptease video.
Nevertheless, the ransomware is actually using the bundled WinRAR in order to create a password-protected ZIP archive located at C:\Users.zip. After archiving the files, the CTB-Faker will move, not copy, the files into the password-protected archive.
As the process described above is rather slow and CPU intensive, the victims will find that their hard drives are being constantly accessed and the CPU utilization will spike to higher than normal percentages.
Once the archive has finished being created, the program will delete various VBS and Batch files located in C:\ProgramData and then reboot the computer. As soon as the PC has restarted and the victim logs in, they will be presented with a ransom screen.
The ransom note will state that the files have been encrypted and that the victim must pay $50 USD in bitcoins to the bitcoin address 1NgrUc748vG5HerFoK3Tkkb1bHjS7T2w5J. After the payment has been made, they should email email@example.com to get the password. Currently, there is no activity on the aforementioned bitcoin address.
In addition, there is an alternate image background which contains the bitcoin address 3MTTgd2BaPndUYkmGjiacaPLkuWsiPUzM3 and the email address firstname.lastname@example.org. The 3MTTgd2BaPndUYkmGjiacaPLkuWsiPUzM3 address is really active, with over 476 bitcoins received.
At last, the ransom note will contain a Decrypt button and an Internet button. The Internet button will open the default browser. Then the Decrypt button will start a Restore.exe program that asks you to enter the password for the password-protected zip file. After the correct password is entered, the users.zip file will automatically be extracted to your hard drive and the files will be decrypted.