What is Ransomware? Ransomware is the universal name for any harmful program that takes your data captive and then demands a ransom “at gunpoint”.
CTB Locker is currently the most prolific of these programs. Its modus operandi is to encrypt your documents and then demand that you pay a ransom in order to get the key from the attacker to decrypt your files and so gain access again. Paying the attacker does not guarantee that you will receive the key. In some cases victims have had to pay the ransom 3 or 4 times before receiving a key. Other victims receive no reply from the attacker after paying the ransom.
How do I get infected?
Infections would typically happen via an unwanted email with an attachment claiming to come from a trusted source.
By clicking on the attachment (PDF, ZIP etc.) you allow CTB Locker to run the encryption function. You will normally only realize this when it is too late as the encryption process runs in the background.
How can I protect myself?
– Backup your data on a regular basis – this is by far the most effective and reliable form of data protection. A backup is defined as having (at least) two current and verified copies of your data stored in separate locations away from your computer.
– Do not click on any attachment from a source that you are not 100% sure off – most of these emails (on the surface) appears to be from a legitimate source.
– Update your operating system, applications and anti-virus software on a daily basis.
Am I protected from Ransomware using an Anti-Virus program?
No, most anti-virus programs will not prevent the attack and would only detect the virus after it has encrypted your files.
Can data be recovered after being encrypted with the CTB Locker?
There is currently no known method to repair, recover or decrypt the files. Once the files are encrypted, they cannot be decrypted without the key.
CTB Locker uses an extremely high level 2048 bit varying algorithm to encrypt the files and cannot be decrypted using a fixed pattern or algorithm. In some cases data fragments of previously deleted and temporary files can be recovered using low level data recovery methods. The success rate is normally very low as the files are recovered outside of the normal data storage and naming structure without any filenames and are simply numbered in sequence.
Contributed by:
Henk Smit
Tecleo Data Recovery Lab