Google Chrome update Spam drops CTB Locker/Critroni Ransomware

Google Chrome update Spam drops CTB Locker/Critroni Ransomware

Beware of emails appearing to come from Google warning you that “Your version of Google Chrome is potentially vulnerable and out of date”.

In this latest spam wave, cyber crooks are tricking users into downloading the well-known browser, except that it’s a dangerous Trojan that will encrypt your personal files and demand a hefty ransom to decrypt them back.

spam

The payload is not attached to the email but instead gets downloaded from various websites that appear to have been compromised.

One particular domain appears to serve as the dynamic redirection mechanism:

assetdigitalmarketing.com/redirect.php

It then directs the user to one of the following sites where the fake installer is hosted:

hxxp://www.thelastxmas.com/ChromeSetup.exe hxxp://www.baddadsclub.com/ChromeSetup.exe hxxp://cognacbrown.co.uk/ChromeSetup.exe hxxp://www.geordie.land/ChromeSetup.exe hxxp://www.goodtobeloved.com/ChromeSetup.exe

Running “ChromeSetup.exe” will not install Google Chrome. Instead the Windows wallpaper will change to this:

encrypted1

This is not just a fake warning. The files on the systems are indeed encrypted:

encrypted4

The bad guys demand a ransom that can be paid using Bitcoins:

encrypted8

Malwarebytes Anti-Malware detect this ransomware as Trojan.ZBAgent.NS and will eradicate it.

MBAM

The problem with ransomware is that while the active Trojans can be removed, it is much more difficult and sometimes impossible to recover the encrypted files.

The folks at BleepingComputer have some tips on how to restore your encrypted files. However, as is often the case, prevention is critical to avoid a nasty ransomware infection.

Social engineering remains a powerful technique to trick people into running programs they shouldn’t. As a rule of thumb you should always only download files from their official website rather than from some unknown site.

Further reading:

“Crypto Ransomware” CTB-Locker (Critroni.A) on the rise | MalwareDontNeedCoffee

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher