Trojan.Cryptolocker.F

Posted: June 5, 2014

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	9/10
Infected PCs:	5

First Seen:	June 5, 2014
Last Seen:	June 12, 2019
OS(es) Affected:	Windows

Trojan.Cryptolocker.F is a file encryptor Trojan, or threat that scrambles data on affected files to make them unusable without a decryption 'key' that reverses the process. The majority of file encryption attacks involve attempts to hold the victims' data for ransom, and Trojan.Cryptolocker.F adheres to this trend via the same ransom-based pop-up windows that may display during its attack. Recent campaigns for Trojan.Cryptolocker.F Trojans have used fraudulent spam e-mail links, and malware experts continue to advise PC users to use reliable browser security to block threat installers, and anti-malware utilities to remove Trojan.Cryptolocker.F, rather than pay the demanded ransom.

The New File Locker Hidden in Your Energy Bill

The overall CryptoLocker family is one responsible for a wide range of minor variants on the same theme: threatening software that encrypts the files on an infected computer and then displays requests for ransoms through both pop-ups and instructional text files. You can identify files encrypted by Trojan.Cryptolocker.F with the suffix '.encrypted,' which this Trojan adds to the end of each file name. However, malware experts have witnessed some cases of Trojan.Cryptolocker.F failing to complete its encryption attack, in which case the renamed file still may be completely usable. This seemingly unintended oversight is particularly convenient, considering the form of encryption exploited by Trojan.Cryptolocker.F, which is difficult to decrypt via third-party tools.

Malware experts also managed to track down the source of recent Trojan.Cryptolocker.F installations: e-mail messages disguised to resemble energy bills from the company EnergyAustralia. The enclosed link to energymar.com subjected victims to downloads of Trojan.Cryptolocker.F, which proceeded with its attacks against their computers and associated information. Reports at the current date indicate that this website, which also used real links to EnergyAustralia Web resources, no longer is online. However, this fact may be a cold comfort to any victims who already have lost access to files encrypted by Trojan.Cryptolocker.F, whose administrator claims that he will return a decryption key only after payment of a monetary fee.

The Magic Key to Unlock Your Files from Trojan.Cryptolocker.F Attacks

Trojan.Cryptolocker.F may advise you to make your ransom payment as fast as possible, but malware researchers would recommend a different (and much cheaper) course of action. Trojan.Cryptolocker.F does not have any advanced defensive functions versus typical anti-malware solutions, and competent anti-malware programs should be able to remove Trojan.Cryptolocker.F easily. Afterward, you can inspect any 'encrypted' files to verify the encryption or lack of it. If necessary, restoring your files from backups, particularly remote ones (such as a USB backup drive) will restore all information without any need to partake in Trojan.Cryptolocker.F's extortion process.

Even with these ways of dealing with Trojan.Cryptolocker.F, it clearly is preferable to keep Trojan.Cryptolocker.F from invading your PC at all. Instead of clicking on links from 'legitimate companies' in unexpected e-mail messages, malware experts suggest loading company websites independently of your e-mail-reading sessions. Doing this will allow you to verify any unexpected bills without putting your computer at risk for aesthetically-misleading attacks like Trojan.Cryptolocker.F's spam. Naturally, Australian PC users are expected as most at risk of the latest attack, although the CryptoLocker family also is active in other regions.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%Windir%\[RANDOM FILE NAME].exe

File name: %Windir%\[RANDOM FILE NAME].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

PLEASE_READ.txt

File name: PLEASE_READ.txt
Mime Type: unknown/txt
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"kygxiuqw" = %Windir%\[RANDOM FILE NAME].exeHKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Bit Torrent Application

Additional Information

The following messages's were detected:

#	Message
1	!!! YOUR SYSTEM IS HACKED !!! All your files was encrypted with Cryptolocker! This means that without the decryption key the recovery of your files is not possible, If your files have a value to you and you are willing to pay me for the decryption key please contact me: decrypt-request@mail.ua You have 3 days to pay for my services. After this period, you will lose all your files. Anti-virus software can remove Cryptolocker, but can not decrypt your fles. The only way to recover your files -is to pay for the decryption key. Information for IT-specialist: Data was encrypted with AES (Rijndael) algorithm with the session key length if 256 bits. Session key is encrypted with RSA (2048 bits) algorithm. Public-key is enclosed into Cryptolocker. Private-key for decryption of the session key is stored only in my database. To crack this key, you will need more than a million years time.

Message

!!! YOUR SYSTEM IS HACKED !!! All your files was encrypted with Cryptolocker! This means that without the decryption key the recovery of your files is not possible, If your files have a value to you and you are willing to pay me for the decryption key please contact me: decrypt-request@mail.ua You have 3 days to pay for my services. After this period, you will lose all your files. Anti-virus software can remove Cryptolocker, but can not decrypt your fles. The only way to recover your files -is to pay for the decryption key. Information for IT-specialist: Data was encrypted with AES (Rijndael) algorithm with the session key length if 256 bits. Session key is encrypted with RSA (2048 bits) algorithm. Public-key is enclosed into Cryptolocker. Private-key for decryption of the session key is stored only in my database. To crack this key, you will need more than a million years time.