CryptoID Ransomware

The CryptoID Ransomware or the 'RICKROLL LOCKER' is a file-locking Trojan that's a minor update of the Aurora Ransomware. The CryptoID Ransomware can lock your files, like the first version of the program, by encrypting them, as well as change their extensions and create text ransoming messages. The users should ignore the extortion attempts by its threat actor, have their anti-malware product delete the CryptoID Ransomware, and recover from backups or freeware solutions.

Not the Kind of Aurora You Should See

The quite-small family of file-locker Trojans referenced as both the OneKeyLocker and the Aurora Ransomware is getting an update in February by the name of the CryptoID Ransomware. While the CryptoID Ransomware's alterations are almost on a shallow or cosmetic level entirely, its encryption-based payload is as workable as ever for blocking media and making money off of the attack. Malware experts are looking at several versions of its executable with the name of either 'tree' or 'RICKROLL' currently.

The 'RICKROLL' label, which refers to a popular Internet joke about redirecting the users to a music video, would seem like an indication that the CryptoID Ransomware is a joke. However, the CryptoID Ransomware's ransom note contains the full set of instructions from the old Aurora Ransomware concerning expectations of the victims paying Bitcoins for unlocking their files. The CryptoID Ransomware also keeps the RSA encryption reference, which, malware experts emphasize, is inaccurate to the real cryptography of the CryptoID Ransomware's family, which runs with a DES algorithm.

The CryptoID Ransomware asks for four hundred USD in Bitcoins for giving the user a decryption service. Unlike most file-locker Trojans, the CryptoID Ransomware and the stock Aurora Ransomware note don't offer any trial or free decryption for proving the threat actor's reliability. Additionally, the users should note that the CryptoID Ransomware is a build of an offline variant of Aurora Ransomware; in other words, disabling one's Internet connection will not interfere with the Trojan's installation or its payload, which was a workaround for old versions of the Aurora Ransomware.

Bringing Down the Lights on an Aurora Ransomware Update

The majority of the CryptoID Ransomware's changes involve renaming preexisting files, such as the ransom notes, and changing the addresses and the locked file's extension. Consequentially, malware analysts see few barriers to the CryptoID Ransomware's compatible with the AuroraDecryptor program already available to the public for data recovery. However, the users should make backups of the files before decrypting them since failures can corrupt the affected media permanently.

Using secure passwords on your network logins, scanning new downloads before opening them, and avoiding exploitable content like Flash, JavaScript or Word's macro feature can the help users to avoid the most prolific strategies for infecting their PCs. Windows users, also, should be careful about being too dependent on the Windows' Restore Points feature, which is a target for deletion by most file-locking Trojans. Anti-malware software, while always useful for deleting the CryptoID Ransomware and similar threats, contains no decryption features.

Like the AnimusLocker Ransomware or the Desu Ransomware, the CryptoID Ransomware is a superficial update to its family. What shouldn't be forgotten, however, is that even the smallest updates are indicators of criminals finding that exploiting backup-abstaining victims is a profitable business.