CTB-Locker (Curve-Tor-Bitcoin-Locker), also known as Critroni, was the first crypto-ransomware to use the Tor network for C2. It targets all versions of Windows and, beginning in mid-2015, it specifically targeted users looking to upgrade to the Windows 10 OS. CTB-Locker is spread through drive-by downloads using exploit kits on compromised web pages, as well as spam email with .zip or .cab attachments. The ‘Curve’ portion of the name refers to the use of elliptic curve cryptography to encrypt files. The following extensions may be added to files encrypted by CTB-Locker: .ctbl, .ctb2, or random characters such as .ftelhdd or .ztswgmc, according to a post on Bleeping Computer.
- The NJCCIC is not aware of any decryption tools available for CTB-Locker.