CROWN Ransomware

The CROWN Ransomware is a file-locking Trojan that uses Hidden Tear's code. The CROWN Ransomware can encrypt and lock files automatically, as well as display borderless pop-ups with its ransom demands for the unlocker. Victims can protect their digital media with various backup strategies or use anti-malware programs for deleting the CROWN Ransomware before it attacks.

The New Crown on the Head of an Old Money-for-Nothing Tactic

A retooled version of Hidden Tear with infamous 'free Ethereum' affiliate links for a distribution method is finding its way to computers by a new name. The BulbaCrypt Ransomware's unique distribution tactic isn't intact in this new release, the CROWN Ransomware necessarily, but malware experts can confirm that the encryption remains in place. It also has a very different ransoming message, although this fact isn't comforting to any victims who can't open their files.

The CROWN Ransomware uses AES-based encryption as a means of stopping documents, pictures, and other media on the computer from opening. Although Hidden Tear's encryption isn't highly advanced and there are some decryptors for different versions of its family, malware experts see minimal decryption options for victims of the CROWN Ransomware or its predecessor of BulbaCrypt Ransomware. Backups remain the best way of recovering from such an attack.

Besides adding 'CROWN' extensions to their names, which is a tradition among file-locking Trojans of all families, the CROWN Ransomware creates a borderless pop-up for its ransom note. After reviewing the contents, malware experts rate it as likely that a different threat actor is responsible for the CROWN Ransomware, which doesn't give its ancestor's format of payment information. So far, all versions of the CROWN Ransomware are in a test state and use placeholders for elements like the user's account name inside of the pop-up.

Denying the CROWN Ransomware's Royal Privilege over Your Files

Although its ransoming instructions are different from those of the old, Ethereum-peddling spinoff, paying the CROWN Ransomware's fee is no more or less likely of giving the victim an appropriate decryption service. Users can save backups onto removable devices or secured cloud servers for alternate, and much less expensive, ways of retrieving their media. Any attacks by the CROWN Ransomware are most likely of targeting data types like Microsoft Word documents, Excel spreadsheets, Adobe PDFs, pictures like GIFs or JPGs, and ZIP archives, among others.

The CROWN Ransomware's samples are using the vague name of 'God.exe' for their installers, which provides limited help on estimating any infection strategies. Its campaign may use torrents, e-mail attachments, website-running Exploit Kits, or other tactics for compromising your PC. However, it is Windows-based, and all users of that OS should have compatible anti-malware programs for removing the CROWN Ransomware as it's needed.

The CROWN Ransomware's debut shows less social engineering emphasis than its father's cryptocurrency influences, but it can lock files just as well. No one without a backup is wholly safe, considering that the code of this Trojan, Hidden Tear, is available to all takers.