Bitcoin Ransomware Now Spreading via Spam Campaigns

Security firms McAfee and Symantec have issued warnings on CTB-Locker – bitcoin-demanding ransomware that is now being propagated via spam.

AccessTimeIconJan 26, 2015 at 5:36 p.m. UTC
Updated Sep 11, 2021 at 11:28 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Security firms McAfee Labs and Symantec have issued warnings that a type of bitcoin-demanding ransomware, CTB-Locker, is now being propagated through spam campaigns.

The malware, the name of which stands for 'Curve Tor Bitcoin Locker', was first identified last year. However, the spam distribution approach appears to be a relatively new development.

McAfee published its latest advisory last week, describing CTB-Locker as a form of ransomware that encrypts files on the target computer. Anecdotal evidence suggests .jpg image files are a frequent target. The victim then has to pay a ransom to have the files decrypted.

that the process of dealing with crypto malware is “particularly nasty to deal with”.

How it works

Upon installation, CTB-Locker injects malicious code into the 'svchost.exe' file, creating a scheduled task for moving and encrypting files.

The malware encrypts the compromised files using elliptical curve encryption, which appears to be equivalent to RSA encryption with a 3,072-bit key.

Once the encryption is complete, the user is informed of the attack through a pop-up ransom message.

The message displays a 96-hour countdown. If the user does not pay the bitcoin ransom within 96 hours, the decryption key is destroyed and the files remain permanently encrypted. 2015-01-26 12-34-48 2015-01-26 12-34-48

The pop-up allows the user to see the list of encrypted files, along with information on how to make a payment and get the decryption code.

Detection, infection and propagation vectors

McAfee detects CTB-Locker under three different names: BackDoor-FCKQ, Downloader-FAMV and Injector-FMZ. Symantec identifies the final payload as Trojan.Cryptolocker.E.

The malware is being propagated via spam campaigns, as a .zip archive stored within another .zip file. The zipped file contains the downloader for CTB-Locker.

So far, researchers have uncovered the following names used to store the downloader:


Aside from standard sound security practices (eg: not opening .zip files from untrusted sources), McAfee has published a number of recommendations to mitigate the threat using McAfee products.

The Symantec blog also offers useful information on CTB-Locker for users of Symantec security products.

Should victims be unwilling or unable to pay the ransom, there is virtually no way of recovering the encrypted files. The best way of reducing the impact of a potential crypto ransomware attack is to backup valuable files on a regular basis.

CTB-Locker pop-up image via Symantec; Spam image via Shutterstock.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.