2014-12-28 - Geo-Focus

Critroni += NL and IT += DE += ES

CTB Locker += NL & IT



Studying the Revslider infection schemes I get redirected on the "Revslider Case 3" (cf Sucuri Blog post) to Nuclear Pack

Revslider Case   3 - Path to Nuclear Pack delivering Critroni
2014-12-28


Decoded Payload :  10f0eaa794f48ad0b15034e0683cb15f

It's CTB Locker aka Critroni.

What is new to me here is the random encrypted file extension :

Encoded RTF with unique extension

Files dropped in MyDocuments
(background wallpaper and decryption explanation)


And the integration of two Languages : NL and IT

Critroni -  First Screen NL
2014-12-28
Critroni - First Screen IT
2014-12-28
Critroni - Test Explanation - NL
2014-12-28
Critroni - Test Explanation - IT
2014-12-28

Critroni - Decryption Test - NL
2014-12-28



Bitcoin Address Screen - NL
1AjhFhf7rE2V3sKmTxoK7t6M7aaymTrt5G 

BTC explanation - NL
2014-12-28 




[Edit 2015-01-17]
 += DE

Critroni / CTB Locker in German - 2015-01-17

Critroni - German 2015-01-17



[/edit]

CTB Locker - FR

Files: Critroni_NL_IT.zip (Fiddler and payload)
+= DE version (Sample : 82f941fbd483e0684daed99f006488f1)
+=FR ES LV version (sample f251200975ae1eb1df4fab9c1b715b77 - 2015-02-22 )

RANSOMWARE
Critroni Nuclear Pack RevSlider CTB Locker IT NL