20 comments on “CTB-Locker encryption/decryption scheme in details

  1. I was wondering if during files ecription AES_KEY_1 can be retrived dumping the RAM, and if CTB locker attempt to encrypt new files added on the computer…

    • You can dump the key during encryption, but it doesn’t help you too much because the key is randomly created…
      New files are not touched by CTB.

      • I understand, it’s near impossibile to decrypt…
        The only way could be to search for the aes key into the swap file, but it’s needed many luck…

  2. Pingback: Actus Sécurité Confirmé 2015 S08 | La Mare du Gof

  3. Pingback: 1 – CTB-Locker encryption/decryption scheme in details | blog.offeryour.com

  4. I am a professional photographer. A few weeks ago my computer was attacked by CTB-LOCKER the one with the black screen and code KEY. Proven Data Recovery has been able to identify the VARIENT of the virus I have. It is – RSA-2048 CTB-Locker encryption virus.
    They want 2,600 for the decryption of 300 image files that this virus has encrypted on a SD CARD. The computer still reads close to 900mb of data on the card and I have been told by multiple sources that there is a chance my images are still there, but I have had no luck and it’s going to take me quite some time to come up with this money so in mean time I am exploring other options and learning more about computers and code than I would otherwise have never cared to.

    It angers me to no end that people can actually even do this. That they can hurt total strangers in this away. Hurt their jobs. Effect their lives just for the sake of doing so and then dangle our data in front of us so we freak out and jump. I refuse to pay this RANSOM and it is frustrating to no end that the supposed GOOD GUYS want WAY THE HELL MORE!! It’s very backwards to me and does not seem right. It is almost impossible to get a simple strait answer from people in this area and there is a lot of double talk and I have bad a couple people remote access my computer and I see them try things even I have tried.

    The files that are blocked were never on my hard drive. I didn’t even have time to make a hard copy. One moment they were find and the next they were encrypted. I have done 2 system restored and a factory restore and computer has updated protection but the files remain locked on my card.

    Is there any effective decryption for CTB-LOCKER – RSA-2048 CTB-Locker encryption virus

    What are the odds? Is it even worth saving all this money for these people? He did ID the variant. Even that came as a shock. It’s all I have to go on. Maybe, if you think you have a solution for me of course I would be willing to work put pay arrangement but I would need to see at lest SOME proof. Maybe do one or two that I can see. There are 300 on the card and I am really quite desperate for this material, or to be told convincingly and enough times that all hop is lost. I am not at that point yet.

    Thanks for your time



  5. Is it possible to reconfigure the master key, when u have all keys but the master, and both the source and the of a crypted file?

    • I was also wondering if the Master could be decrypted if all the other elements are known, and both files (encrypted and before encryption) are available?

  6. Pingback: The state of Ransomware in 2015 | Fox-IT International blog

  7. Pingback: The state of Ransomware in 2015 | vulnerablelife

  8. Pingback: A king’s ransom: an analysis of the CTB-locker ransomware | vulnerablelife

  9. Pingback: The current state of ransomware: CTB-Locker – Net Universe International Corp

  10. Any possibility to decrypt files (by paying ransom) if CTB removed (but still have the “DecryptAllFiles.txt”) from PC?
    If not… any possibility if infected again?


  11. Pingback: The current state of ransomware: CTB-Locker - The Cloud Key

  12. Thanks for your explanation of CTB-locker.

    From your description I conclude that the only thing I have to keep to be able to decrypt the files in the future (If master secret key is somehow found e.a. by police) is the files them selfs. The hardware identification is stored in the encrypted files, so decryption can take place on another computer. (If the Master secret key is miraculously retrieved from the malicious server.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s