Fake Google Chrome update leads to CTB Locker/Critroni Ransomware

A ransomware kind of threat has been on the loose that works by encrypting the data on the infected computer and then displays a message to the victim asking him/her to pay a fee so as to unlock the files. The ransomware is called Critron or can also be referred to as the CTB-Locker.

Chrome installers are downloaded from multiple locations:

The harmful payload is downloaded from websites that happen to be attacked by the hackers for the purpose of hosting malicious piece, Jerome Segura from Malwarebytes reported.


The threat works by redirecting the user dynamically to a website determined to be at assetdigitalmarketingcom/redirectphp. The next the victim sees is a sort of file appearing to be an installer for Google Chrome. The encryption process begins as soon as the installer is launched and at the end of the operation, the ransom message is delivered.


One can access the data without paying the ransom if the malware is of an older version. This is because the older version does not delete the shadow copies of the files created by Windows Volume Shadow Service. However, in the event that the files are not recovered, the items can still be retrieved through a program called Shadow Explorer; still, every version does not have this fault.

New CTB-Locker is pricier than before:

An extended grace period for making the bitcoin payment comes with the latest versions of Critroni which extends the period to 96 hours rather than the original 72. However, there is a higher cost attached to this; in the summer 2014, the demand was a few more hundred dollars instead of less than 50.

As a sign of good faith, it also contains versions of ransom message in various languages that allows one to decrypt a total of five items.

The newest release of ransomware have seemingly been caught by Malwarebytes (detected as Trojan.ZBAgent.NS), as the payment request if for 2 bitcoins (currently about $450/€400) with 96 hours being the deadline. The victim’s files are encrypted when the waiting period gets over after which the decrypting key also gets deleted from the server.

Google Chrome is activated automatically in the background without the user’s need to intervene; this should be remembered by users whenever they encounter the scam. When the user re-launches the application, the new version becomes available and the entire process runs smoothly.

Internet Explorer receives its updates via Windows Update while Mozilla Firefox has an automatic update process.

The new program version does not have its notifications delivered through the email and there are alerts built in the program. Therefore it is wise to verify any available revision of an application in question rather than updating from link received through an email.

Related Posts