Google Chrome update Spam drops CTB Locker/Critroni Ransomware

Google Chrome update Spam drops CTB Locker/Critroni Ransomware

Beware of emails appearing to come from Google warning you that “Your version of Google Chrome is potentially vulnerable and out of date”.

In this latest spam wave, cyber crooks are tricking users into downloading the well-known browser, except that it’s a dangerous Trojan that will encrypt your personal files and demand a hefty ransom to decrypt them back.


The payload is not attached to the email but instead gets downloaded from various websites that appear to have been compromised.

One particular domain appears to serve as the dynamic redirection mechanism:

It then directs the user to one of the following sites where the fake installer is hosted:

hxxp:// hxxp:// hxxp:// hxxp:// hxxp://

Running “ChromeSetup.exe” will not install Google Chrome. Instead the Windows wallpaper will change to this:


This is not just a fake warning. The files on the systems are indeed encrypted:


The bad guys demand a ransom that can be paid using Bitcoins:


Malwarebytes Anti-Malware detect this ransomware as Trojan.ZBAgent.NS and will eradicate it.


The problem with ransomware is that while the active Trojans can be removed, it is much more difficult and sometimes impossible to recover the encrypted files.

The folks at BleepingComputer have some tips on how to restore your encrypted files. However, as is often the case, prevention is critical to avoid a nasty ransomware infection.

Social engineering remains a powerful technique to trick people into running programs they shouldn’t. As a rule of thumb you should always only download files from their official website rather than from some unknown site.

Further reading:

“Crypto Ransomware” CTB-Locker (Critroni.A) on the rise | MalwareDontNeedCoffee


Jérôme Segura

Principal Threat Researcher