CCryptor Ransomware Description
A new ransomware is on the loose. Security researchers spotted the new threat in late October 2019 and are calling it the CCryptor Ransomware.
The CCryptor Ransomware is distributed primarily through phishing emails that contain malicious links and exploit vulnerability CVE-2017-11882 on Windows machines. The CCryptor Ransomware uses the RSA and AES256 encryption, and in addition to being ransomware, it's also a delayed wiper. The CCryptor Ransomware gives its victims four days to pay the ransom, and if payment is not made within that time frame, all data in the encrypted files will be deleted. The CCryptor Ransomware uses .Net Confuser to obfuscate its payload and dodge detection.
Upon execution, the ransomware makes a copy of itself and drops it under %AppData%\Adobe\AdobeUpdate.exe to ensure persistence. The ransomware affects a huge number of file types - around 360 extensions are affected by the CCryptor Ransomware. Curiously, the CCryptor Ransomware also keeps track of current system time and OS language during the encryption process, storing the recorded values in the Registry.
The CCryptor campaign seems to be run by a small-time criminal outfit, as the ransom demand is laughably low compared to even the low end of the ransomware spectrum. The fee that the bad actors behind the CCryptor Ransomware require is just $80, but it is clear that no one can guarantee that you will be getting your files back if you agree to pay. The ransom also increases by $5 for every day of delay, leading up to the deletion of files after four days.
The CCryptor Ransomware drops its ransom note in a file called "README!!!.txt," which consists of a huge key that is unique to each victim primarily. Curiously, the key is not using Latin letters, numbers and ASCII symbols, but what appears to be Chinese glyphs. The contact email used in this attack campaign is email@example.com.
The recommended protection against all ransomware types is keeping a regularly updated and comprehensive anti-malware suite installed on your PC.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to CCryptor Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.