Crypto1CoinBlocker Ransomware
Posted: January 19, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 22 |
| First Seen: | January 19, 2017 |
|---|---|
| OS(es) Affected: | Windows |
The Crypto1CoinBlocker Ransomware is a variant of the Xorist Ransomware that bears minimal changes from the previous Trojan, except for new ransoming components and a new method of code obfuscation. As with the Xorist Ransomware, the Crypto1CoinBlocker Ransomware blocks your files and delivers messages meant to force you into paying to unblock them. Affected victims should seek alternatives, if available, and use anti-malware products for uninstalling the Crypto1CoinBlocker Ransomware safely.
A Low-Effort Remix of an Old 'Favorite'
With Ransomware-as-a-Service (or RaaS) and similar business models being dependable parts of the threat black market, it's clear that many con artists have more interest in benefiting from threatening software than they do in coding it. However, with the recently-identified Crypto1CoinBlocker Ransomware, this phenomenon goes to a new extreme. This Trojan is all but identical to the old Xorist Ransomware of the past year, with one, major exception: its authors re-compressed it, using a free trial version of a packer application.
Data compression or packing is one of the most common ways of providing surface protection to Trojans against anti-malware analysis and has little impact on the underlying payload. When the Crypto1CoinBlocker Ransomware installs itself, it continues conducting all of the attacks the Xorist Ransomware was known for employing previously, such as:
- Encrypting files as a means of blocking them. Note that Xorist Ransomware-based Trojans like the Crypto1CoinBlocker Ransomware can use TEA or XOR-based encryption methods, but other components of this threat (see below) claim falsely that RSA-2048 is in use.
- Adding seemingly 'random' extension characters to the locked filenames. These aren't random and, in fact, represent the same Bitcoin wallet address that the Crypto1CoinBlocker Ransomware's authors use for collecting their ransom money.
- Creating a Notepad text, Windows error box and HTML pop-up-based ransom messages, which demand Bitcoin payments for decrypting and unlocking your data. Malware experts can verify the Crypto1CoinBlocker Ransomware's pop-up as being gathered from CryptoLocker, which further confuses any attempts to identify and counter this threat.
Keeping Your Coins on the Way Through a File Blockade
In a law-abiding industry, the Xorist Ransomware's authors would have grounds to sue the threat actors managing the Crypto1CoinBlocker Ransomware, who have borrowed all essential aspects of the old Trojan while re-branding it for their profit. The Crypto1CoinBlocker Ransomware also offers incredibly clear evidence of some of the problems with taking extortionists at their word; both TEA and XOR are far more easily subject to decoding by appropriate freeware and security researchers than RSA-2048. However, malware analysts always recommend investing in backups to cut off these ransoming attempts most directly.
Con artists may be installing the Crypto1CoinBlocker Ransomware by attaching it to e-mail messages with the disguise of fake PDF-based invoices. Anti-malware programs can identify the most corrupted files and remove the Crypto1CoinBlocker Ransomware before you lose any content, and enabling visible extensions can help you detect attempts to confuse the format of a download. While a majority of anti-malware programs do identify the Crypto1CoinBlocker Ransomware heuristically, often as a variant of Filecoder or Ransom.AIG.
Although it takes more effort to protect yourself from a threat like the Crypto1CoinBlocker Ransomware than it does for a con artist to create it, one may count the cost of doing otherwise in often high stacks of Bitcoins.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.