{"id":40787,"date":"2015-01-21T10:09:16","date_gmt":"2015-01-21T18:09:16","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=40787"},"modified":"2025-06-04T03:25:28","modified_gmt":"2025-06-04T10:25:28","slug":"rise-backdoor-fckq-ctb-locker","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/","title":{"rendered":"The Rise of Backdoor-FCKQ (CTB-Locker)"},"content":{"rendered":"<p><strong>By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek)<\/strong><\/p>\n<p>In the <em>McAfee Labs Threats Report<\/em> published in November 2014, Senior Vice President Vincent Weafer commented that 2014 will be remembered as \u201cthe year of shaken trust.\u201d Indeed almost every threat measured saw notable increases in Q3 that pointed to a rather ominous 2015.\u00a0 There was, however, one notable exception: ransomware.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/ransomeware.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-40788\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/ransomeware.jpg\" alt=\"ransomeware\" width=\"630\" height=\"421\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/ransomeware.jpg 630w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/ransomeware-300x200.jpg 300w\" sizes=\"auto, (max-width: 630px) 100vw, 630px\" \/><\/a><\/p>\n<p>The preceding figure provided a respite against the threat of ransomware, but as foreseen in the McAfee Labs Threats Predictions \u201cRansomware will evolve its methods of propagation, encryption, and the targets it seeks.\u201d<\/p>\n<p>For many, this prediction appears to be ringing true with the rise in Backdoor-FCKQ (aka known as CTB-Locker) now distributed via multiple channels including IRC, peer-to-peer networks, newsgroup postings, email spam, etc.<strong>\u00a0<\/strong><\/p>\n<h2><strong>Details<\/strong><\/h2>\n<p>\u201cBackdoor-FCKQ\u201d is a new crypto malware delivered through email that encrypts data files on the target system.<\/p>\n<p>It copies itself to the following folder:<\/p>\n<ul>\n<li>%temp%&lt; 7 random characters&gt;.exe<\/li>\n<li>%temp%\\wkqifwe.exe<\/li>\n<\/ul>\n<p>It also creates a job task containing seven random characters:<\/p>\n<ul>\n<li>%windir%\\Tasks\\cderkbm.job<\/li>\n<\/ul>\n<p>The following registry keys are added to the system:<\/p>\n<ul>\n<li>%ALLUSERSPROFILE%\\Application Data\\Microsoft\\&lt;7 random characters&gt;<\/li>\n<\/ul>\n<p>It injects code into svchost.exe, and svchost.exe will launch files from the following:<\/p>\n<ul>\n<li>%temp%\\&lt;7 random characters&gt;.exe<\/li>\n<\/ul>\n<p>The code injected into svchost.exe will encrypt files with the following extensions:<\/p>\n<ul>\n<li>.pdf<\/li>\n<li>.xls<\/li>\n<li>.ppt<\/li>\n<li>.txt<\/li>\n<li>.py<\/li>\n<li>.wb2<\/li>\n<li>.jpg<\/li>\n<li>.odb<\/li>\n<li>.dbf<\/li>\n<li>.md<\/li>\n<li>.js<\/li>\n<li>.pl<\/li>\n<\/ul>\n<p>Once a system is infected, the malware displays the following image:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/CTBLocker.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-40789\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/CTBLocker.jpg\" alt=\"CTBLocker\" width=\"804\" height=\"554\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CTBLocker.jpg 930w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CTBLocker-300x206.jpg 300w\" sizes=\"auto, (max-width: 804px) 100vw, 804px\" \/><\/a><\/p>\n<p>The newly created process creates a mutex named:<\/p>\n<ul>\n<li>\\BaseNamedObjects\\lyhrsugiwwnvnn<\/li>\n<\/ul>\n<p>An interesting angle in this new round of Backdoor-FCKQ malware is the use of the well-known downloader Dalexis. There are several versions of this downloader. A simple query in our internal database resulted in more than 900 hits of this downloader and variants of it. To circumvent antispam tools, the downloader is hidden in a zip file that contains a zip and eventually unpacks to a .scr (screensaver) file.<\/p>\n<p>The function of the downloader is to download additional malware from certain locations, unpack the Xor-coded malware, and execute it. In this case the additional malware, the CTB, was packed in the file pack.tar.gz:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/code-1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-40790\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/code-1.jpg\" alt=\"code 1\" width=\"811\" height=\"393\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/code-1.jpg 952w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/code-1-300x145.jpg 300w\" sizes=\"auto, (max-width: 811px) 100vw, 811px\" \/><\/a><strong>Figure 1: pack.tar.gz.<\/strong><\/p>\n<p>As we can see from the preceding screenshot, there\u2019s no file header present that represents a known file type. For example, if this were an executable file, the first two characters (aka the magic number) would have been &#8220;MZ.&#8221; This is one of the ways in which malware authors try to circumvent gateway detection of malware. Some other tricks we have seen frequently recently is to put the payload of the malware on Pastebin or Github.<\/p>\n<p>In this case, pack.tar.gz used different XOR keys to encrypt parts of the file. Once this puzzle was cracked, the unpacked code of Backdoor-FCKQ is revealed:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/code-2.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-40791\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/code-2.jpg\" alt=\"code 2\" width=\"804\" height=\"410\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/code-2.jpg 804w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/code-2-300x152.jpg 300w\" sizes=\"auto, (max-width: 804px) 100vw, 804px\" \/><\/a><strong>Figure 2: Unpacked code of Backdoor-FCKQ.<\/strong><\/p>\n<p>With multiple samples of Backdoor-FCKQ (CTB-Locker) as comparison material, we immediately recognized code parts.<\/p>\n<p>As a quick Yara detection rule, the following can be used:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/code-3.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-40792\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/code-3.jpg\" alt=\"code 3\" width=\"628\" height=\"454\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/code-3.jpg 600w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/code-3-300x217.jpg 300w\" sizes=\"auto, (max-width: 628px) 100vw, 628px\" \/><\/a><\/p>\n<h2><strong>Bitcoin trail<\/strong><\/h2>\n<p>While tracing the Bitcoin trail and possible transactions, no value on the account was found and no transactions were made to other accounts.<\/p>\n<h2><strong>Removal<\/strong><\/h2>\n<p>All users: Use current <a href=\"https:\/\/www.mcafee.com\/apps\/downloads\/security_updates\/dat.asp\">engine and DAT files<\/a> for detection and removal.<\/p>\n<p>Modifications made to the system registry and\/or INI files to hook system start-up will be successfully removed if cleaning with the recommended engine and DAT combination (or later versions).<\/p>\n<p><strong>A special thanks to Sanchit Karve for his assistance in the analysis.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek) In the McAfee Labs Threats Report published in November 2014, Senior Vice&#8230;<\/p>\n","protected":false},"author":460,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,338,180,4140],"coauthors":[1359,3576],"class_list":["post-40787","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-endpoint-protection","tag-malware","tag-quarterly-threats-report"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The Rise of Backdoor-FCKQ (CTB-Locker) | McAfee Blog<\/title>\n<meta name=\"description\" content=\"By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek) In the McAfee Labs Threats Report published in November 2014, Senior Vice President\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Rise of Backdoor-FCKQ (CTB-Locker) | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek) In the McAfee Labs Threats Report published in November 2014, Senior Vice President\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2015-01-21T18:09:16+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-04T10:25:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/ransomeware.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"630\" \/>\n\t<meta property=\"og:image:height\" content=\"421\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Raj Samani, Christiaan Beek\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@raj_samani\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Raj Samani, Christiaan Beek\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/\"},\"author\":{\"name\":\"Raj Samani\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c599d4c6fbfe639ab3c623dbab743efc\"},\"headline\":\"The Rise of Backdoor-FCKQ (CTB-Locker)\",\"datePublished\":\"2015-01-21T18:09:16+00:00\",\"dateModified\":\"2025-06-04T10:25:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/\"},\"wordCount\":582,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/ransomeware.jpg\",\"keywords\":[\"computer security\",\"cybercrime\",\"endpoint protection\",\"malware\",\"Quarterly Threats Report\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/\",\"name\":\"The Rise of Backdoor-FCKQ (CTB-Locker) | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/ransomeware.jpg\",\"datePublished\":\"2015-01-21T18:09:16+00:00\",\"dateModified\":\"2025-06-04T10:25:28+00:00\",\"description\":\"By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek) In the McAfee Labs Threats Report published in November 2014, Senior Vice President\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/ransomeware.jpg\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/ransomeware.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"The Rise of Backdoor-FCKQ (CTB-Locker)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c599d4c6fbfe639ab3c623dbab743efc\",\"name\":\"Raj Samani\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/84322977b2e4d74026259dbee600b443\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/Picture1-1-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/Picture1-1-96x96.png\",\"caption\":\"Raj Samani\"},\"description\":\"Raj Samani is Chief Scientist and Fellow for the Enterprise business. He has assisted multiple law enforcement agencies in cybercrime cases and is a special advisor to the European Cybercrime Centre in The Hague. Samani has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe hall of Fame, Peter Szor award, and Intel Achievement Award, among others. He is the co-author of the book \\\"Applied Cyber Security and the Smart Grid\\\" and the \\\"CSA Guide to Cloud Computing,\\\" as well as technical editor for numerous other publications.\",\"sameAs\":[\"http:\/\/www.mcafee.com\/\",\"https:\/\/www.linkedin.com\/in\/raj-samani-3697b9\/\",\"https:\/\/x.com\/raj_samani\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/raj-samani\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The Rise of Backdoor-FCKQ (CTB-Locker) | McAfee Blog","description":"By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek) In the McAfee Labs Threats Report published in November 2014, Senior Vice President","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"The Rise of Backdoor-FCKQ (CTB-Locker) | McAfee Blog","og_description":"By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek) In the McAfee Labs Threats Report published in November 2014, Senior Vice President","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2015-01-21T18:09:16+00:00","article_modified_time":"2025-06-04T10:25:28+00:00","og_image":[{"width":630,"height":421,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/ransomeware.jpg","type":"image\/jpeg"}],"author":"Raj Samani, Christiaan Beek","twitter_card":"summary_large_image","twitter_creator":"@raj_samani","twitter_site":"@McAfee","twitter_misc":{"Written by":"Raj Samani, Christiaan Beek","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/"},"author":{"name":"Raj Samani","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c599d4c6fbfe639ab3c623dbab743efc"},"headline":"The Rise of Backdoor-FCKQ (CTB-Locker)","datePublished":"2015-01-21T18:09:16+00:00","dateModified":"2025-06-04T10:25:28+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/"},"wordCount":582,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/ransomeware.jpg","keywords":["computer security","cybercrime","endpoint protection","malware","Quarterly Threats Report"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/","name":"The Rise of Backdoor-FCKQ (CTB-Locker) | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/ransomeware.jpg","datePublished":"2015-01-21T18:09:16+00:00","dateModified":"2025-06-04T10:25:28+00:00","description":"By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek) In the McAfee Labs Threats Report published in November 2014, Senior Vice President","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/ransomeware.jpg","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/ransomeware.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-backdoor-fckq-ctb-locker\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"The Rise of Backdoor-FCKQ (CTB-Locker)"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c599d4c6fbfe639ab3c623dbab743efc","name":"Raj Samani","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/84322977b2e4d74026259dbee600b443","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/Picture1-1-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/Picture1-1-96x96.png","caption":"Raj Samani"},"description":"Raj Samani is Chief Scientist and Fellow for the Enterprise business. He has assisted multiple law enforcement agencies in cybercrime cases and is a special advisor to the European Cybercrime Centre in The Hague. Samani has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe hall of Fame, Peter Szor award, and Intel Achievement Award, among others. He is the co-author of the book \"Applied Cyber Security and the Smart Grid\" and the \"CSA Guide to Cloud Computing,\" as well as technical editor for numerous other publications.","sameAs":["http:\/\/www.mcafee.com\/","https:\/\/www.linkedin.com\/in\/raj-samani-3697b9\/","https:\/\/x.com\/raj_samani"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/raj-samani\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/40787","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/460"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=40787"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/40787\/revisions"}],"predecessor-version":[{"id":215092,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/40787\/revisions\/215092"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=40787"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=40787"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=40787"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=40787"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}