{
	"id": "de7c591f-2f08-491e-9b15-f6d3f56401d1",
	"created_at": "2026-04-06T00:07:11.766675Z",
	"updated_at": "2026-04-10T03:20:50.272933Z",
	"deleted_at": null,
	"sha1_hash": "91f1ced99303f17c7cb377bd42d3ca3fe2c56f96",
	"title": "Polyglot - the fake CTB-locker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1252927,
	"plain_text": "Polyglot - the fake CTB-locker\r\nBy Anton Ivanov\r\nPublished: 2016-10-03 · Archived: 2026-04-05 22:58:08 UTC\r\nCryptor malware programs currently pose a very real cybersecurity threat to users and companies. Clearly, organizing\r\neffective security requires the use of security solutions that incorporate a broad range of technologies capable of preventing\r\na cryptor program from landing on a potential victim’s computer or reacting quickly to stop an ongoing data encryption\r\nprocess and roll back any malicious changes. However, what can be done if an infection does occur and important data has\r\nbeen encrypted? (Infection can occur on nodes that, for whatever reason, were not protected by a security solution, or if the\r\nsolution was disabled by an administrator.) In this case, the victim’s only hope is that the attackers made some mistakes\r\nwhen implementing the cryptographic algorithm, or used a weak encryption algorithm.\r\nA brief description\r\nThe cryptor dubbed Polyglot emerged in late August. According to the information available to us, it is distributed in spam\r\nemails that contain a link to a malicious RAR archive. The archive contains the cryptor’s executable code.\r\nHere are some examples of the links used:\r\nhXXp://bank-info.gq/downloads/reshenie_suda.rar\r\nhXXp://bank-info.gq/downloads/dogovor.rar\r\nWhen the infected file is launched, nothing appears to happen. However, the cryptor copies itself under random names to a\r\ndozen or so places, writes itself to the autostart folder and to TaskScheduler. When the installation is complete, file\r\nencryption starts. The user’s files do not appear to change (their names remain the same), but the user is no longer able to\r\nopen them.\r\nWhen encryption is complete, the cryptor changes the desktop wallpaper, (interestingly, the wallpaper image is unique to\r\neach victim) and displays the ransom message.\r\nThe cryptor’s main window\r\nhttps://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/\r\nPage 1 of 10\n\nNew desktop wallpaper with the “open key” block unique to each victim computer\r\nThe user is offered the chance to decrypt several files for free.\r\nThe free trial decryption window\r\nAfter this, the user is told to pay for file decryption in bitcoins. The cryptor contacts its C\u0026C, which is located on the Tor\r\nnetwork, for the ransom sum and the bitcoin address where it should be sent.\r\nhttps://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/\r\nPage 2 of 10\n\nC\u0026C communication window\r\nFrom this moment on, the cryptor allows the user to check the ransom payment status on the C\u0026C.\r\nRansom payment details\r\nIf the ransom is not paid on time, the cryptor notifies the user that it’s no longer possible to decrypt their files, and that it is\r\nabout to ‘self-delete’.\r\nhttps://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/\r\nPage 3 of 10\n\nLast window displayed by Polyglot\r\nImitating CTB-Locker\r\nInitially, this cryptor caught our attention because it mimics all the features of another widespread cryptor – CTB-Locker\r\n(Trojan-Ransom.Win32.Onion). The graphical interface window, language switch, the sequence of actions for requesting the\r\nencryption key, the payment page, the desktop wallpapers – all of them are very similar to those used by CTB-Locker. The\r\nvisual design has been copied very closely, while the messages in Polyglot’s windows have been copied word for word.\r\nThe main graphical interface windows:\r\nPolyglot CTB-Locker\r\nList of encrypted files:\r\nWindow for the trial decryption of 5 random files:\r\nPolyglot CTB-Locker\r\nThe private key request window:\r\nhttps://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/\r\nPage 4 of 10\n\nThe desktop wallpapers:\r\nPolyglot CTB-Locker\r\nThe ‘connection failed’ error message:\r\nOffline decryption instructions:\r\nThe similarities do not stop there. Even the encryption algorithms used by the cybercriminals have clearly been chosen to\r\nimitate those used in CTB-Locker.\r\nPolyglot CTB-Locker\r\nAlgorithms used for\r\nfile encryption\r\nFile content is packed into a ZIP\r\narchive and then encrypted with AES-256.\r\nFile content is compressed with Zlib and then\r\nencrypted with AES-256.\r\nAlgorithms used\r\nwhile working with\r\nthe keys\r\nECDH (elliptic curve Diffie-Hellman),\r\ncurve25519, SHA256.\r\nECDH (elliptic curve Diffie-Hellman), curve25519,\r\nSHA256.\r\nExtensions of\r\nencrypted files\r\nFile extensions are not changed.\r\nFile extensions are changed, depending on version:\r\n– .ctbl\r\n– .ctb2\r\n– 7 random lower-case Latin symbols\r\nDemo decryption\r\n5 files are decrypted for free as a\r\ndemo. Their decryption keys and file\r\nnames are saved in the registry.\r\n5 files are decrypted for free as a demo. Their\r\ndecryption keys are only stored in the RAM memory\r\nwhile the process is running.\r\nC\u0026C location\r\nC\u0026C is in the Tor network,\r\ncommunication is via a public tor2web\r\nservice.\r\nC\u0026C is in the Tor network, communication is via a\r\nTor client integrated into the Trojan, or (in some\r\nversions of CTB-Locker) via a public tor2web\r\nservice.\r\nTraffic protection /\r\nobfuscation\r\nBitwise NOT operation. AES encryption.\r\nThat said, we should note the following: a detailed analysis has revealed that Polyglot was developed independently from\r\nCTB-Locker; in other words, no shared code has been detected in the two Trojans (except the publicly available DLL code).\r\nPerhaps the creators of Polyglot wanted to disorient the victims and researchers, and created a near carbon copy of CTB-Locker from scratch to make it look like a CTB-Locker attack and that there was no hope of getting files decrypted for free.\r\nC\u0026C communication\r\nThe Trojan contacts the C\u0026C server located on Tor via a public tor2web service, using the HTTP protocol.\r\nPrior to each of the below data requests, a POST request is sent with the just one parameter: “live=1”.\r\nRequest 1.\r\nAt the start of operation, the Trojan reports the successful infection to the C\u0026C. The following data is sent to the C\u0026C:\r\nhttps://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/\r\nPage 5 of 10\n\n{\r\n“ip”:”xxx.xxx.xxx.xxx”,         //ip address of the infected computer\r\n“method”:”register”,         //action type. “register” = Trojan informs C\u0026C of new infection\r\n“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,         //Infected computer’s ID\r\n“version”:”10f”,         //Trojan version contained in its body\r\n“info”:”Microsoft (build xxxx), 64-bit”,         //OS version on the infected computer\r\n“description”:” “,         //Always a whitespace (” “)\r\n“start_time”:”14740xxxxx”,         //Trojan’s start time\r\n“end_time”:”0″,         //Encryption finish time. 0 = no encryption has run yet\r\n“user_id”:”5″         //Number hardwired in the sample\r\n}\r\nThis data block is passed through a bitwise NOT operation, encoded into Base64 and sent to the C\u0026C in a POST request.\r\nContents of the sent request\r\nParameters of the POST request:\r\nsignature – CRC32 from the sent data\r\nver – Trojan version\r\ngcdata – data, with contents as described above.\r\nhttps://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/\r\nPage 6 of 10\n\nRequest 1 and the reply received from the C\u0026C\r\nRequest 2.\r\nWhen the Trojan has finished encrypting the user’s data, it sends another request to the C\u0026C. The content of the request is\r\nidentical to that of request 1 except the field “end_time”, which now shows the time encryption was completed.\r\nRequest 3.\r\nThis is sent to the C\u0026C to request the bitcoin address for payment and the ransom sum to be paid.\r\n{\r\n“method”:”getbtcpay”\r\n“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”\r\n}\r\nThe C\u0026C replies to this request with the following data:\r\n{\r\n“code”:”0″,\r\n“text”:”OK”,\r\n“address”:”xxxxxxxx”,         //bitcoin address (may vary)\r\n“btc”:0.7,         //amount to be paid in BTC (may vary)\r\n“usd”:319.98         //amount to be paid in USD (may vary)\r\n}\r\nRequest 4.\r\nThis is sent to request a file decryption key from the C\u0026C.\r\n{\r\n“method”:”getkeys”,\r\n“key”:””,\r\n“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,\r\n“info”:\r\n[“DYqbX3m9u0Pk9bE9Rg2Co3empC2M/yrnqgNS3r0AT2vwCw8Zas08bd4BNiO3XuAqi6/5WQ0VBiUkRUToo+YFL/QtPkiRIQ/D9RyKhzpBHlNpf2h\r\n}\r\nRequest 5.\r\nThe Trojan reports that data decryption has been completed and states the number of decrypted files to the C\u0026C.\r\n{\r\n“method”:”setend”,\r\n“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,\r\n“decrypted”:”1″\r\n}\r\nDescription of the encryption algorithm\r\nDuring our analysis of the malicious code, it became evident that the Trojan encrypts files in three stages, creating\r\nintermediate files:\r\nFirst, the original file is placed in a password-protected ZIP archive. The archive has the same name as the original\r\nfile plus the extension “a19”;\r\nPolyglot encrypts the password-protected archive with the AES-256-ECB algorithm. The resulting file again uses the\r\nname of the original file, but the extension is now changed to “ap19”;\r\nThe Trojan deletes the original file and the file with the extension “a19”. The extension of the resulting file is\r\nchanged from “ap19” to that of the original file.\r\nhttps://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/\r\nPage 7 of 10\n\nFlowchart of the search and file encryption actions performed by Polyglot\r\nA separate AES key is generated for each file, and is nothing more than a ‘shared secret’ generated according to the Diffie-Hellman protocol on an elliptic curve. However, first things first.\r\nBefore encrypting any files, the Trojan generates two random sequences, each 32 bytes long. The SHA256 digests of each\r\nsequence become the private keys s_ec_priv_1 and s_ec_priv_2. Then, the Bernstein elliptic curve (Curve25519) is used to\r\nobtain public keys s_ec_pub_1 and s_ec_pub_2 (respectively) from each private key.\r\nThe Trojan creates the structure decryption_info and writes the following to it: a random sequence used as the basis for\r\ncreating the key s_ec_priv_1, the string machine_guid taken from the registry, and a few zero bytes.\r\nstruct decryption_info\r\n{\r\n        char s_rand_str_1[32];\r\n        char machine_guid[36];\r\n        char zeroes[12];\r\n};\r\nUsing the private key s_ec_priv_2 and the cybercriminal’s public key mal_pub_key produces the shared secret\r\nmal_shared_secret = ECDH(s_ec_priv_2, mal_pub_key). The structure decryption_info is encrypted with algorithm AES-256-ECB using a key that is the SHA256 digest of this secret. For convenience, we shall call the obtained 80 bytes of the\r\nencrypted structure encrypted_info.\r\nOnly when Polyglot obtains the encrypted_info value does it proceed to generate the session key AES for the file. Using the\r\nabove method, a new pair of keys is generated, f_priv_key and f_pub_key. Using f_priv_key and s_ec_pub_1 produces\r\nthe shared secret f_shared_secret = ECDH(f_priv_key, s_ec_pub_1).\r\nThe SHA256 digest of this secret will be the AES key with which the file is encrypted.\r\nTo specify that the file has already been encrypted and that it’s possible to decrypt the file, the cybercriminals write the\r\nstructure file_info to the start of each encrypted file:\r\nstruct file_info\r\n{\r\n        char label[4] = {‘H’,’U’, ‘I ‘, 0x00};\r\n        uint32_t label2 = 1;\r\n        uint64_t archive_size;\r\n        char f_pub_key[32];\r\n        char s_ec_pub_1[32];\r\n        char s_ec_pub_2[32];\r\n        char encrypted_info[80];\r\n};\r\nThe elliptic curve, the Diffie-Hellman protocol, AES-256, a password-protected archive – it was almost flawless. But not\r\nquite, because the creator of Polyglot made a few mistakes during implementation. This gave us the opportunity to help the\r\nvictims and restore files that had been encrypted by Polyglot.\r\nMistakes made by the creators\r\nAs was mentioned earlier, all the created keys are based on a randomly generated array of characters. Therefore, the strength\r\nof the keys is determined by the generator’s strength. And we were surprised to see the implementation of this generator:\r\nhttps://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/\r\nPage 8 of 10\n\nA graphical representation of the random sequence generation procedure\r\nLet’s convert this function into pseudocode so it’s easier to follow:\r\nPlease note that when another random byte is selected, the entire result of the function rand() is not used, just the remainder\r\nof dividing the result by 32. Only the cybercriminal knows why they decided to make the random string this much weaker –\r\nan exhaustive search of the entire set of the possible keys produced by such a pseudo-random number generator will only\r\ntake a few minutes on a standard PC.\r\nTaking advantage of this mistake, we were able to calculate the AES key for an encrypted file. Although there was a\r\npassword-protected archive below the layer of symmetric encryption, we already knew that the cybercriminal had made\r\nanother mistake.\r\nLet’s look at how the archive key is generated:\r\nWe can see that the key length is only 4 bytes; moreover, these are specific bytes from the string MachineGuid, the unique\r\nID assigned to the computer by the operating system. Furthermore, a slightly modified MachineGuid string is displayed in\r\nhttps://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/\r\nPage 9 of 10\n\nthe requirements text displayed to the victim; this means that if we know the positions in which the 4 characters of the ZIP\r\narchive password are located, we can easily unpack the archive.\r\nThe MachineGuid string displayed in the requirements screen\r\nConclusion\r\nFiles that are encrypted by this cryptor can be decrypted using Kaspersky Lab’s free anti-cryptor utility RannohDecryptor\r\nVersion 1.9.3.0.\r\nAll Kaspersky Lab solutions detect this cryptor malware as:\r\nTrojan-Ransom.Win32.Polyglot\r\nPDM:Trojan.Win32.Generic\r\nMD5\r\nc8799816d792e0c35f2649fa565e4ecb – Trojan-Ransom.Win32.Polyglot.a\r\nSource: https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/\r\nhttps://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/"
	],
	"report_names": [
		"polyglot-the-fake-ctb-locker"
	],
	"threat_actors": [],
	"ts_created_at": 1775434031,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/91f1ced99303f17c7cb377bd42d3ca3fe2c56f96.pdf",
		"text": "https://archive.orkl.eu/91f1ced99303f17c7cb377bd42d3ca3fe2c56f96.txt",
		"img": "https://archive.orkl.eu/91f1ced99303f17c7cb377bd42d3ca3fe2c56f96.jpg"
	}
}