The test decryption feature gives victims the opportunity to decrypt up to five files of their choosing.
The test decryption feature gives victims the opportunity to decrypt up to five files of their choosing.

A variant of Curve-Tor-Bitcoin (CTB) Locker ransomware – also known as Critroni – being distributed in a spam campaign now offers victims additional time to pay the ransom, but also requires them to pay a whole lot more than previously, according to the latest research by Trend Micro.

The variant observed by Trend Micro gives victims 96 hours to pay three Bitcoins – or nearly $700, as of Friday – before the files become permanently encrypted, according to a Wednesday post. In July 2014, versions of CTB-Locker were observed giving victims 72 hours to make a payment that was typically less than one Bitcoin.

Trend Micro has observed this CTB-Locker variant being distributed through spam, and some samples were sent by systems that are part of the Cutwail botnet, the post indicates, going on to state that the ransomware is predominately impacting users in the Europe, the Middle East and Africa (EMEA), China, Latin America and India.

In a Thursday email correspondence, Christopher Budd, global threat communications manager with Trend Micro, told SCMagazine.com that while he could not confirm conclusively, a Wednesday post by ESET appears to address the same threat.

In that post, spam is also how CTB-Locker is being distributed, but victims are required to pay a ransom of 8 Bitcoins – or more than $1,800, as of Friday – within 96 hours. ESET listed Poland, Czech Republic and Mexico as the most impacted countries, with the U.S. making up five percent of total infections.

Kafeine first wrote about CTB-Locker in July, and the researcher updated his post in August to report that CTB-Locker has a test decryption feature, which gives victims the opportunity to decrypt up to five files of their choosing.

Trend Micro and ESET both indicated that the feature is still available.

“We can only speculate on the criminals' thinking for this feature, but ultimately changes in tactics are meant to maximize their return,” Budd said. “We can only conclude that they view this sample decryption as increasing the likelihood someone affected will pay. It can best be thought of as a “proof of life” step in real life hostage situations.”

A new feature to this variant is a language option that allows victims to view the ransom messages in English, Italian, German and Dutch, according to a Wednesday post.

“I wouldn't say [the attackers have] elevated their game as much as are continuing to refine their tactics in order to maximize their returns,” Budd said.

A Wednesday McAfee Labs post also appears to address CTB-Locker, but Budd said it is “hard to say” if it is the same threat.

“The best thing people can do regarding ransomware is prevent infections in the first place,” Budd said. “Running modern security packages and not opening unknown or unexpected attachments can best protect against ransomware infections.”