The IT security community appears is witnessing an outbreak of a new hazardous file-encrypting ransomware. It has been active since early April, and the attack surface has broadened to thousands of machines throughout the globe over less than a fortnight. The analysis of its Delphi code and activity patterns is somewhat raw at this point, but it’s already fair to assert that the infection is a standalone sample most likely created independently. At first, however, there was some controversy regarding its possible affiliation with known breeds such as TeslaCrypt and CryptoWall, but these turned out to be mere speculations. Based on binary strings extracted by researchers, the newcomer is referred to as CryptXXX or CryptProjectXXX.
Here’s a quick overview of this sample’s traits: it uses an uncrackable cipher to encrypt data, appends a “.crypt” extension to the filenames of all encoded items, and creates ransom instruction documents in three formats, namely de_crypt_readme.txt, de_crypt_readme.bmp, and de_crypt_readme.html.
One of the interesting details about the .crypt ransomware is that the way users fall victim to it doesn’t involve the commonplace email attachment trickery. Instead, most people run into the problem during a streaming video session. The rendering of video in real time is unlikely to cause issues per se, therefore sponsored ads pose a more probable source of the contagion. Users tend to click whatever interrupts their favorite sports event or TV show episode, just to get the popups out of the way. This seemingly innocuous click may trigger the ransomware execution routine by redirecting the person to a page hosting an exploit kit like Angler or initiating an obfuscated download process. The Internet extortionists are obviously breaking new ground in terms of malware propagation.
Another unusual thing regarding this trojan is the path from which it is launched on an infected computer. As opposed to other ransomware strains that mostly run from AppData, LocalAppData or Temp, the process of the new .crypt threat is dropped to ProgramData. It is a .dat file whose name coincides with the victim’s personal ID indicated in the de_crypt_readme recovery directions. Meanwhile, CryptXXX also creates a new DLL in Temp directory which runs with a delay of about an hour.
When started, the malady targets widespread types of files on local drive volumes, removable drives and network shares. It also collects data related to instant messengers and mail clients. By the way, the accompanying warning messages mention the RSA-4096 encryption standard, but the length of public and private keys is in fact smaller. That’s sort of an extra intimidation hype that doesn’t really change anything – the crypto is extremely strong anyway.
Some real facts now: the affected user needs to pay 1.2 Bitcoins, or 500 USD, during 96 hours since the infection originally began running on the workstation. If the payment is overdue, the ransom goes up two times and equals 1000 USD. In case the user does submit the money via the multi-lingual “Decrypt Service” Tor (.onion) page, he or she can supposedly download a decryptor application, launch it, scan the computer for ciphered files, and get them back. According to some user reports, though, the criminals don’t keep their promises. Under the circumstances, it’s recommended to try the Volume Shadow Copy trick, leverage recovery tools or restore files from backup.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other trojans while operating.
It has been mentioned that the .crypt ransomware applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that this infection erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by .crypt malware is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the threat left, have your computer scanned with a reliable malware security suite.