Since our previous post we have noticed different formats of emails going round and the most common is the fax email that seems to be stinging more businesses and individuals. It appears to look like you have a legitimate fax message from the office fax machine complete with an attachment. The .zip file has another .zip inside and within that is the executable .scr file. This installs the malicious downloader know as Dalexis. The downloader attempts to contact a predetermined list of websites.
CTB-Locker will encrypt the victim’s files and append the original filenames with a randomly generated 7 character long extension. Additionally, it will proceed to write a copy of itself to the users local temporary files folder with a randomly generated name of 7 characters and the extension .exe. To ensure CTB-Locker is kept running, it will create a scheduled task with a randomly generated 7 character name. Lastly, CTB-Locker will present the victim with a ransom notice and countdown timer showing how long the victim has left to pay the ransom. CTB-Locker will also change the victim’s desktop background picture to an image containing the same ransom payment instructions. Finally, a copy of the same instructions will also be stored to the victim’s My Documents folder as both an image and a text file, with the names Decrypt All Files [random 7 characters].bmp and Decrypt All Files [random 7 characters].txt respectively. The ransom instructions will direct the victim to pay the ransom, in Bitcoins, to a specified Bitcoin address. In most cases, we have observed the ransom to be 3 BTC (about 650USD or 575EUR).