Home Malware Programs Ransomware CCryptor Ransomware

CCryptor Ransomware

Posted: October 29, 2019

The CCryptor Ransomware is a file-locking Trojan without a known family. Like more well-known threats, such as Hidden Tear, it blocks the user's digital media with encryption and holds the files up for ransom. Users should let backups be their preferred recovery solution to infections while having anti-malware products available for removing the CCryptor Ransomware safely.

English Trojans with a Smattering of Chinese

File-locking Trojans tend to come into the wild as natural byproducts of greater, preexisting family businesses, such as the Scarab Ransomware Ransomware-as-a-Service, or free code tweaks like Hidden Tear. The CCryptor Ransomware belongs to neither of these classes and could be a singular Trojan of its kind. This uniqueness also bleeds into its ransom note, which has some less-common characteristics besides the usual demands for money.

The CCryptor Ransomware is a Windows-based threat and leverages encryption with an AES-256 algorithm for locking the user's files. This primary feature targets media formats such as JPG pictures, or documents, archives, spreadsheets, etc. Like many Trojans of its kind, the CCryptor Ransomware also adds its name on as an extension to the file's original filename, which makes it immediately identifiable – but only after it's blocked the user's content.

The CCryptor Ransomware also drops a Notepad TXT file, which serves the role of a traditional ransom note and sells the threat actor's unlocking or decryption help. However, its template isn't one that's part of the usual Ransomware-as-a-Service's, and it includes an eighty-dollar ransom that raises in daily increments of five dollars. Perhaps most oddly, the CCryptor Ransomware provides a transaction code in Chinese characters, despite the English usage in the rest of the note. Malware experts haven't come across other file-locking Trojans using this particular format for negotiations.

Catching Fake Adobe Updates in Time

Currently, the CCryptor Ransomware is attacking Windows systems with the disguise of being an Adobe-brand updater, which could be for such products as the Photoshop image-editing suite or their PDF Reader. It also contacts external servers for unknown reasons – possibly for reporting successful infections or gathering an encryption key. Noteworthily, the threat also is one of a handful that uses Pastebin resources for a C&C, just like the old KratosCrypt Ransomware.

The CCryptor Ransomware's Adobe-themed disguise pertains, not just to the file name, but also to some other file details, such as the executable's copyright and description lines. However, malware researchers see no use of a digital certificate and rate its obfuscation against static detection by security products as being limited. Nonetheless, none of these characteristics dispense with the need for a backup for victims who need a full recovery of data without paying the Trojan's ransom. The CCryptor Ransomware is coming to Windows machines through methods that might range from e-mail spam to malvertising, but there's no need for counting its ticking ransom clock. A backup a day, a week, or a month is far better than spending your time and money on the schedule of Trojans.

Loading...