The authors of Crypren, a new data-encoding trojan sample, appear to have fairly modest mercantile appetites as they extort an unusually low ransom of 0.1 Bitcoins, which converts to about 40 USD. This feature, though, doesn’t make such an attack incident any less abominable than the rest of the crypto malware assaults out there. The online criminals’ trump card in defrauding their victims of some savings is a rather strong cryptosystem leveraged in the course of the compromise.
The offending program makes use of a blend of AES-256 and RSA-2048 to turn one’s personal data into an array of inaccessible entities. It targets both the files stored locally and those residing on mapped network shares as well as external media that’s currently inserted into the infected computer running Windows or Linux. The range of file formats at risk isn’t very plentiful, covering objects with about 40 different extensions, as opposed to some ransomware variants that lock hundreds of types of data.
A straightforward symptom of the Crypren attack is the .encrypted string being attached to every mutilated file. An item named “resume.docx”, for instance, will therefore become “resume.docx.encrypted”, which certainly adds a bit of confusion to the mix. However, this isn’t the main thing that makes the victim realize something went wrong. The ransomware brings up a warning message in READ_THIS_TO_DECRYPT.html. It says:
“Your personal files have been encrypted. Your data (photos, documents, databases, etc.) have been encrypted with a private and unique key generated for this computer. This means that you will not be able to access your files anymore until they are decrypted. The private key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.”
The racketeers provide seven days for the user to send the payment and get the private key in return, indicating a unique Bitcoin address at the bottom. If they don’t receive the ransom within the specified period of time, the information necessary for decryption will be allegedly erased from their C2 server. In fact, it will most likely stay there but the buyout amount may increase. Although Crypren doesn’t seem to be a super-complex ransomware sample, it does take one’s files hostage and its crypto routine is difficult to get around.
When a contamination instance occurs, most of the affected users should blame it on their own curiosity because they shouldn’t have opened an email attachment received from some unknown sender. This social engineering trick is by far the most heavily used attack vector in campaigns like this. The emails look interesting as the subjects are CVs, payroll notifications, subpoenas and similar. The enclosed ZIP archives or PDF documents instantly execute the ransom trojan on the system once opened. In some cases, these are Microsoft Office files that encourage users to enable macros, which is a nasty recommendation to follow.
In the event Crypren has crept into a computer and wreaked havoc with data on it, there are a couple of tips that will come in handy as far as the damage mitigation and file recovery are concerned.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other trojans while operating.
It has been mentioned that the Crypren ransomware applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that this infection erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by Crypren malware is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the threat left, have your computer scanned with a reliable malware security suite.