CRPTD Ransomware

The CRPTD Ransomware is a file-locking Trojan that blocks media files and holds them hostage by encrypting them. The CRPTD Ransomware also creates ransom notes using a previously-known HTA template that sells the victims a possible unlocking service. Most updated anti-malware products should thwart infection attempts or uninstall the CRPTD Ransomware, and traditional backup practices can assist with inexpensive data recovery.

What a Tangled Web of Lineage Trojans Weave

Not all file-locking Trojans have a definitive lineage. Such puzzles only become convoluted with the incestuous 'burrowing' of ideas and resources between different sub-sectors of the Trojan black market increasingly. The CRPTD Ransomware, at first glance, is identifiable by sight as a variant of the Globe Imposter Ransomware family. Some sources beg to differ, suggesting that it's a Phobos Ransomware release due to other evidence. Lastly, malware experts see a possible connection between this mysterious Trojan and the ancient family of the Unlock92 Ransomware.

The prominent features of the CRPTD Ransomware are its Windows compatibility, appending 'crptd' extensions to media files, and blocking the same with an encryption routine. The last attack keeps the files from opening until the user converts their internal data back to 'normal,' which requires a compatible decryptor. In many cases, the threat actor holds the key to the decryption utility, who sells the service – such as in the CRPTD Ransomware's HTA (advanced HTML) ransom note.

The CRPTD Ransomware's ransom note uses an e-mail address related to attacks from the Phobos Ransomware family previously, a Ransomware-as-a-Service of some prominence. Nonetheless, it most clearly resembles the Globe Imposter Ransomware (a double-copycat that imitates the Globe Ransomware, which, in its turn, rips off the Dharma Ransomware)'s RaaS. As the last tangle of its identity, the Trojan uses an extension that malware experts see back in the family of the Unlock92 Ransomware specifically, namely, its 2017 variant of the Naampa Ransomware.

Some of these Trojan families have compatible free decryption solutions online and others, as is typical, lack them. An incompatible program has the further problem of damaging any encrypted or locked files permanently, beyond any restoration.

Spotting the Windows System File that Doesn't Belong

The CRPTD Ransomware may, if it's indeed, part of Unlock92 Ransomware's family, target Russian speakers, but its note suggests English, instead. Malware researchers can confirm that it takes the all-too-typical tactic of faking being part of Windows (specifically, the 'svchost' file) during the installation exploit. After that installation, the Trojan may show few to no symptoms while it busies itself, blocking documents, images and similar media.

Appropriately-secured and maintained backups are an excellent step for countering Trojan attacks that involve data encryption, corruption or deletion. Administrators also bear the responsibility of updating server software and using passwords that can block brute-force attacks from compromising their servers. All users also should attend to possible exploits involving e-mail attachments, fake updates, and illicit downloads (such as torrent-circulating game cracks).

Only Windows environments are at risk from the CRPTD Ransomware, whatever its historical ties are or aren't. A slim majority of AV products in the industry are flagging and deleting the CRPTD Ransomware, with rates anticipated of rising in time.

The CRPTD Ransomware can be just as hurtful to data as any of the many families raised in this article. For most Windows users, where a Trojan comes from can matter less than where it's going.