In the last couple days, IT security solutions vendor ESET has been observing a surge in a new type of cyber-attack. Dubbed CTB-Locker, it is a new variant of the ransomware family and is affecting organizations withing the GCC and in particular the UAE with ESET having recorded multiple incidents in a short period of time. The ransomware encrypts and locks users’ data until a ransom of 8 Bitcoins, equivalent at present to $1680, is paid to the attackers.
Commenting on the way in which the malware spreads, Mohamed Djenane, Security Specialist, ESET Middle East said, “It starts with a simple email. Organizations in the UAE are getting targeted email, mainly having a subject containing the word ‘fax’. This email contains an attachment infected with a trojan downloader.” Once downloaded by an unsuspecting victim, the trojan downloader connects to the internet and downloads the main CTB-Locker malware. On execution, CTB-Locker will encrypt specific file formats on the infected device, lock the users screen and display a ransom message.
The new ransomware which was identified by ESET researches has been observed all over the world with the highest density in Europe and Latin America. There is a big similarity between CTB-Locker and Crypto-Locker, an infamous piece of ransomware that has been making rounds in the cyber community since September 2013. While they both operate in the same manner in terms of encrypting the victim’s machine, CTB-Locker uses a different type of encryption algorithm.
CTB-Locker attack – Prevention is the only option
As of now, there is solution to “clean” the malware once you are hit.
In an emailed response to Arabian Gazette, Djenane says:
“The unfortunate fact of the matter is that there is no remediation. While antivirus solutions such as those provided by ESET will detect and remove the malware itself, the user’s files will remain encrypted. In short, the minute your files got encrypted, that’s it! Besides paying the ransom- which of course offers no guarantee- there is no way to get your data back. The attackers are using a strong encryption mechanism with a public and a private key which makes it virtually impossible to break.
…the minute your files got encrypted, that’s it! Besides paying the ransom- which of course offers no guarantee- there is no way to get your data back. — Mohamed Djenane, Security Specialist, ESET Middle East
The only thing users can do is to prevent the infection from happening in the first place by spreading awareness among employees, not opening unknown attachments, and using solutions such ESET Antivirus to protect against similar future attacks.”
How to protect yourself from CTB-Locker attack
ESET offered the following advice to users and organizations to eliminate or at least reduce the impact of the new CTB-Locker attack:
1. Have any data backup mechanism, whether it is done manually or by implementing a backup solution. This will eliminate the need to pay anything since you already have a backup copy of your data.
2. Keeping your operating system and antivirus solution up to date.
3. Never open email attachments if you are not 100% sure about the identity of the sender
4. Extensive awareness for employees and cyber education as per the best security practices
5. Early report for any suspicious activities to the IT team.