Developers of CTB-Locker Ransomware Start Using Bitcoin's Blockchain

Ransomware infections have increased dramatically over the last few months and their ingenious authors are now using bitcoin’s blockchain to send file decryption codes to paying victims.

In traditional CTB-Locker ransomware versions, perpetrators have to rely on a network of previously-hacked servers, which host hidden scripts that send decryption keys when victims pay bitcoin ransoms. This solution is very unreliable due to the fact that these hacked servers are frequently patched, and this cuts into the bottom line of the developers.

However, in more recent variants of the ransomware that targets servers, developers have devised a clever way to anonymously deliver decryption keys: embedding them in the OP_RETURN field.

The technique was explained in detail by Denis Sinegubko, a senior malware researcher at internet security firm Sucuri. The OP_RETURN field was implemented in the Bitcoin protocol so that small chunks of data could be added to each transaction.

According to Sinegubko’s post, the new variant of CTB-Locker - which was first observed in March of this year - baits victims into sending a small bitcoin transaction (0.0001 BTC) which decrypts a small portion of the victim’s encrypted files.

He explains in his post:

“If they see 0.0001 BTC, the wallet’s blockchain is appended with a new transaction whose OP_RETURN field contains the decryption key for the two free test files. If the victims pays the full price, they add a transaction with keys for both test and the rest of the encrypted files.”

Despite the “cleverness” of these ransomware developers, Sinegubko’s investigation revealed that very few webmasters pay the ransom, “Out of almost 100 sites I checked, only one had a real “free decryption test” 0.0001 BTC transaction.” he writes.

Image credit: Shutterstock