CTB-Faker pretends to be the CTB-Locker ransomware variant and targets Windows OS. It is distributed through malicious links posted on fake profile pages hosted on adult entertainment websites. Clicking these links will download a WinRAR SFX file to the victim’s computer and extract a number of batch files, executables, and VBS files into the C:\ProgramData folder. The first sign of a CTB-Faker infection is a pop-up error message that pretends to be a graphic card error. Additional signs include slowed system performance and a spike in CPU usage. CTB-Faker moves all targeted files into a password-protected ZIP file and then reboots the system before displaying a ransom note claiming that the victim’s files were encrypted by CTB-Locker. CTB-Faker demands an initial ransom payment amount of 0.0868 Bitcoin or $50 USD with a threat to double the price if payment is not submitted within seven days.
- Bleeping Computer provides more information about CTB-Faker here.
- The NJCCIC is not currently aware of any decryption tools available for CTB-Faker.