CryptConsole v3 Ransomware
Posted: June 26, 2018
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 1,906 |
First Seen: | February 27, 2015 |
---|---|
Last Seen: | April 11, 2022 |
OS(es) Affected: | Windows |
The CryptConsole v3 Ransomware is an update of the CryptConsole Ransomware, a Trojan that pretends to encrypt your files, despite only renaming them. This version of the Trojan includes a real, data-locking feature, and victims of its attacks should seek decryption assistance from reputable members of the cyber-security industry, as appropriate. Maintain strong network login security and scan all new files with anti-malware software for blocking traditional infection methods and deleting the CryptConsole v3 Ransomware before you incur any file damage.
The Console Gets an Update that the Public Should Dread
The CryptConsole Ransomware family, a minor copycat of the Globe Ransomware, was noticeable from its lying about its payload initially: presenting all the appearances of a file-locking Trojan without the associated dangers of data encryption. Victims of these early attacks could recover their files with a freeware application or, even by renaming them. However, its threat actors have yet to abandon the project, and its new version, the CryptConsole v3 Ransomware, is using real, file-locking techniques.
The CryptConsole v3 Ransomware's executable is circulating with a fake 'Microsoft Updater' label and includes some obfuscation to, theoretically, hide it from different security solutions. The threat encrypts media files, such as documents, using an algorithm such as AES-256, XOR or RSA. Hexadecimal strings in brackets and e-mail addresses associated with the threat actor's ransoming transactions are also symptoms of a 'locked' file.
While previous releases delivered advanced Web page-based messages, the CryptConsole v3 Ransomware transitions to using a TXT Notepad file for its ransom note. The instructions are a clone of those from other file-locker Trojans' campaigns but have an update to the ransom amount (fifty USD) and a new e-mail address for communicating on further details. As a rule, malware analysts suggest contacting appropriate industry experts for their decryption help before paying for a criminal's assistance, assuming that no other way of recovering the encrypted media is possible.
Keeping Your Media from Getting the Wrong Console Experience
Although it's not impossible that a fake Microsoft update file could circulate via spam e-mails, malware experts rate it most likely that the CryptConsole v3 Ransomware's campaign is using brute-force or RDP-based infection vectors. Such attacks take advantage of weak password management for gaining remote control over vulnerable PCs and, then, running file-locking Trojans like the CryptConsole v3 Ransomware for locking the locally-stored media. Despite its obfuscation, most anti-malware programs are detecting the CryptConsole v3 Ransomware and should block the Trojan before it encrypts anything in other installation scenarios.
Free decryption software is available for the CryptConsole v3 Ransomware, but users should create copies before testing the compatibility of the program with their files. Non-local backups also are the best strategy for protecting documents, spreadsheets, and other media from file-locking Trojans of all families, whose attacks aren't always decryptable. Since it doesn't include self-distribution features, deleting the CryptConsole v3 Ransomware should make use of complete system scans by anti-malware products that also can identify other security issues.
Glancing at the CryptConsole v3 Ransomware's note and assuming that it will help you identify what decryption application works for it can be a quick path towards damaging your files beyond restoration. The very nature of the threatening software industry makes trusting your eyes a bad idea when it comes to dealing with infections with significant side effects.
Update
The 'xzet@tutanota.com' Ransomware is a variant of the CryptConsole v3 Ransomware, which has gained some popularity among cybercriminals in the past few months, and we have seen several unique variants like the Kurosaki_ichigo@tutanota.com Ransomware. The newest variant does not include any major improvements regarding functionality and, thankfully, this means that the 'xzet@tutanota.com' Ransomware is likely to be decryptable via the free decryptor that is available for the main CryptConsole v3 Ransomware.
Since the 'xzet@tutanota.com' Ransomware is not spread widely, there is no accurate information regarding the propagation techniques, which might be used to spread this harmful application. One of the commonly used techniques to propagate ransomware is fake e-mail messages, but the authors of the 'xzet@tutanota.com' Ransomware also might rely on alternative methods such as fake downloads or attacks on vulnerable remote desktop software. Regardless of the infection vector used, the 'xzet@tutanota.com' Ransomware will always carry out the attack in the same way – it encrypts a broad range of file types and then offers to provide the victim with a decryptor in exchange for money.
The authors of the 'xzet@tutanota.com' Ransomware demand a ransom payment of 0.112 Bitcoin, and deliver their message with the help of the file called ‘HOW DECRIPT FILES.hta.’ Surprisingly, the 'xzet@tutanota.com' Ransomware uses a ransom note design identical to the one used by the Globe Ransomware.
Although the victims of the 'xzet@tutanota.com' Ransomware might be tempted to negotiate with the cybercriminals behind the attack, we would like to assure them that this is a bad idea. The anonymous hackers who use the 'xzet@tutanota.com' Ransomware to encrypt files are not someone to be trusted, and you should not forget that they might trick you out of your money. The correct thing to do when dealing with the 'xzet@tutanota.com' Ransomware or another file-locker based on CryptConsole v3 Ransomware is to install and run a trustworthy anti-virus product that will ensure the full removal of the file-locker immediately. When this is done, you should use the free CryptConsole decryptor, which should help you recover your files.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%SystemDrive%\Users\<username>\AppData\Roaming\HOW DECRIPT FILES.hta
File name: HOW DECRIPT FILES.htaSize: 9.04 KB (9041 bytes)
MD5: b916ea166673abba1a2927460bad933f
Detection count: 1,658
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: April 15, 2017
ad96a3712aa662ffb5fd4ded8edd4d1b
File name: ad96a3712aa662ffb5fd4ded8edd4d1bSize: 26.62 KB (26624 bytes)
MD5: ad96a3712aa662ffb5fd4ded8edd4d1b
Detection count: 45
Group: Malware file
Last Updated: February 21, 2017
%ALLUSERSPROFILE%\HOW DECRIPT FILES.hta
File name: HOW DECRIPT FILES.htaSize: 9.1 KB (9103 bytes)
MD5: 251bc88dedd1399eba7fe0bb8a5a1fd6
Detection count: 33
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: March 2, 2017
%ALLUSERSPROFILE%\HOW DECRIPT FILES.hta
File name: HOW DECRIPT FILES.htaSize: 9.07 KB (9077 bytes)
MD5: d7b8230c9909a9cf4a21a3f55cd95318
Detection count: 16
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: March 2, 2017
dir\name.exe
File name: name.exeSize: 7.68 KB (7680 bytes)
MD5: 1c240d1a748471b20047dbd94c2e6b9d
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: dir
Group: Malware file
Last Updated: April 11, 2022
Registry Modifications
File name without pathHOW DECRIPT FILES.hta