CTB-Locker Sends Decryption Keys Over Bitcoin Blockchain

An interesting article has surfaced on PC World, which details how Bitcoin ransomware infections through CTB-Locker can be solved by looking at Bitcoin transactions. Or to be more precise, that would be the most positive outcome as this malware apparently stores decryption keys within the metadata of Bitcoin transactions.

Also read: ShapeShift CEO Erik Voorhees Reveals Hack Was an Inside Job

A New Way To Crack CTB-Locker?

CTB-Locker has proven to be quite an annoying strain of Bitcoin ransomware, which has been all but impossible to crack by security experts. Up until now, that is, as it turns out finding these decryption keys is not as difficult as originally assumed. But it will not be a walk in the park either; that much is certain,

According to the PC World article, the author of CTB-Locker has come up with the ingenious way of storing the decryption key for every infection on the Bitcoin blockchain. Keeping in mind how all of these transactions are broadcasted to the public, the creators have designed this method to deliver the decryption keys to victims who paid the ransom.

This is a step up from the previous c&c server strategy Bitcoin ransomware used. CTB-Locker would send information back to the creator’s own servers to confirm the payment, and that same route would be used to deliver the decryption key to the victim. But this is not the most reliable method and a new solution had to be found.After all, why not use the Bitcoin blockchain?

The OP_RETURN field found within the Bitcoin source code makes this principle possible. This same function lets users include a message or other data with every transaction, and can easily hold a decryption key. Although these transactions are not validated by the blockchain – assailants create bogus tx on purpose – it is still recorded on the blockchain.

Once this step has been completed, the CTB-Locker ransomware will execute a script to scan the blockchain for the transaction history linked to the Bitcoin address used. The decryption key is extracted from the bogus transaction, and file access is restored. In a way, this system is elegant and kind of interesting, although it is being used for nefarious purposes.

Source: PC World

Images credit 1,2

If you liked this article follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin and altcoin price analysis and the latest cryptocurrency news.