Cryptolocker 1.0.0 Ransomware

Posted: March 15, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	16,983
Threat Level:	10/10
Infected PCs:	1,712

First Seen:	September 11, 2013
Last Seen:	October 12, 2023
OS(es) Affected:	Windows

The Cryptolocker 1.0.0 Ransomware is a Turkish variant of CryptoLocker, a 2013-dated Trojan that can encrypt your files. Any symptoms that are visible launch after this Trojan has locked your files, potentially making them impossible to recover. Use anti-malware programs for safely removing the Cryptolocker 1.0.0 Ransomware either before or after it encrypts your PC's data and backups, if required, for reversing any damages.

Presented with a Choice in Poison Pills

The Cryptolocker family is exhibiting an unusually long lifespan for threatening software, possibly thanks to its still-unbreakable encryption features. A Turkish threat actor referred to as 'Alp' is developing a new version of this Trojan with the improperly-numbered Cryptolocker 1.0.0 Ransomware, also set to attack Turkey-based victims. Like old versions of the same program, the Cryptolocker 1.0.0 Ransomware uses RSA encryption to hold what's on your PC hostage.

As current samples are only functional partially, the Cryptolocker 1.0.0 Ransomware project seems still to be in the midst of its development and, hopefully, may never be finished and released into the wild. However, like old CryptoLocker variants, the Cryptolocker 1.0.0 Ransomware can scan for files on your PC, isolate them based on either their formats or their locations, and encipher them with an RSA-based algorithm that blocks them from opening.

The Cryptolocker 1.0.0 Ransomware's most evident symptom is the pop-up message it launches after taking your data hostage. The Turkish-language ransoming message offers a choice between a 'red pill' button for deleting your files and a 'blue pill' button for decryption after negotiating with the threat actor over e-mail. Including themes from media, like the Matrix cinematic universe is one of the ways that Trojan authors try to distinguish their 'products' from those of their competitors.

Preventing Your PC from Making a Pill-Popping Proposition

Despite the version number that Alp is attaching to his project, the Cryptolocker 1.0.0 Ransomware isn't the first, full-fledged version of Cryptolocker. Variants of the family are verifiable throughout the past few years, with many of them circulating throughout e-mail attachments. Malware experts have yet to see the Cryptolocker 1.0.0 Ransomware playing a part in any live attacks, but its filenames are indicative of it disguising itself as some form of Adobe PDF content potentially. These 'documents' may pretend to be department messages or communications from a third-party, such as a tax consultant or delivery company.

Limited decryption tools are available for free download to counteract the payloads of old versions of Cryptolocker, but no similar solutions have yet appeared for the Cryptolocker 1.0.0 Ransomware. Since decryption never is certain, malware researchers advise backing up your hard drive and ignoring ransom demands from Alp or other threat actors conducting attacks of a similar nature. Most PC users benefiting from active anti-malware monitoring should be able to delete the Cryptolocker 1.0.0 Ransomware proactively.

The Cryptolocker 1.0.0 Ransomware offers you a choice between two equally poor options. The small amount of time required to backup your files always is worth it, in comparison to the often massive losses of data that Trojans of this description can levy.

Aliases

Inject2.BWZN [AVG]W32/Bitman.FO!tr [Fortinet]Trojan.Win32.Injector [Ikarus]Artemis!E78654D43FCF [McAfee]Ransom:Win32/Tescrypt.A [Microsoft]Trojan[Ransom]/Win32.Bitman [Antiy-AVL]Troj/Ransom-AST [Sophos]Trojan.AVKill.36611 [DrWeb]TrojWare.Win32.Ransom.Bitman.~NS [Comodo]Trojan-Ransom.Win32.Bitman.fo [Kaspersky]Win32:Malware-gen [Avast]Trojan.Gen [Symantec]Trojan ( 004bc9ff1 ) [K7AntiVirus]

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%APPDATA%\Microsoft\Crypto\sysgop.exe

File name: sysgop.exe
Size: 276.88 KB (276883 bytes)
MD5: 3c282af747b4f70340dca3170d55ae29
Detection count: 578
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Microsoft\Crypto
Group: Malware file
Last Updated: July 18, 2020

C:\Users\<username>\AppData\Local\Microsoft\Performance\Monitor\temp\tmp9927.exe

File name: tmp9927.exe
Size: 404.51 KB (404513 bytes)
MD5: eb2cde846127106689d14afe7911bcec
Detection count: 354
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Local\Microsoft\Performance\Monitor\temp\tmp9927.exe
Group: Malware file
Last Updated: November 17, 2021

eb5eb336636e3f6cacf6c8db6bf4ea00

File name: eb5eb336636e3f6cacf6c8db6bf4ea00
Size: 604.41 KB (604410 bytes)
MD5: eb5eb336636e3f6cacf6c8db6bf4ea00
Detection count: 96
Group: Malware file

C:\Users\<username>\AppData\Local\Microsoft\Performance\Monitor\temp\tmp477B.exe

File name: tmp477B.exe
Size: 237.4 KB (237400 bytes)
MD5: 1b21b27589ddc173ba795213e108a096
Detection count: 91
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Local\Microsoft\Performance\Monitor\temp\tmp477B.exe
Group: Malware file
Last Updated: June 10, 2021

%APPDATA%\Microsoft\Crypto\sysras.exe

File name: sysras.exe
Size: 220.72 KB (220726 bytes)
MD5: 881f86bf4bb4b9f0e993b2853a0a27cf
Detection count: 84
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Microsoft\Crypto
Group: Malware file
Last Updated: November 12, 2016

D:\?? ???????\Downloads\scoped_dir_5156_15540\Инструкция как скачать чит и ссылка на него.docx.exe

File name: Инструкция как скачать чит и ссылка на него.docx.exe
Size: 6.56 MB (6561624 bytes)
MD5: 860bfffc08296bd13d43bef865b33f76
Detection count: 82
File type: Executable File
Mime Type: unknown/exe
Path: D:\?? ???????\Downloads\scoped_dir_5156_15540
Group: Malware file
Last Updated: July 2, 2016

K:\ADC\رزمايش.docx.exe

File name: رزمايش.docx.exe
Size: 3.26 MB (3269675 bytes)
MD5: 64cc41e5aa1d5b34e6c49cbd9ffe9233
Detection count: 80
File type: Executable File
Mime Type: unknown/exe
Path: K:\ADC
Group: Malware file
Last Updated: July 2, 2016

%USERPROFILE%\??????? ????\Davlyatbegim\Testing Draft 2.docx.exe

File name: Testing Draft 2.docx.exe
Size: 477.63 KB (477633 bytes)
MD5: 9406c8ea0f180383d3a8d5fedb105bb1
Detection count: 80
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\??????? ????\Davlyatbegim
Group: Malware file
Last Updated: July 2, 2016

%ALLUSERSPROFILE%\{5e5b8694-f299-3322-5e5b-b8694f291a53}\RPPTematikBerkarakterKelas1SDPengalamansms1.docx.exe

File name: RPPTematikBerkarakterKelas1SDPengalamansms1.docx.exe
Size: 1.06 MB (1063936 bytes)
MD5: 14434f09c026e189161254a3230523e9
Detection count: 73
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\{5e5b8694-f299-3322-5e5b-b8694f291a53}
Group: Malware file
Last Updated: July 2, 2016

%USERPROFILE%\??? ?????????\Downloads\Министерство образования и науки Кыргызской Республики.docx.exe

File name: Министерство образования и науки Кыргызской Республики.docx.exe
Size: 482.13 KB (482132 bytes)
MD5: a686e81153a11ea2817ecf58a9b0b25d
Detection count: 70
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\??? ?????????\Downloads
Group: Malware file
Last Updated: July 2, 2016

%ALLUSERSPROFILE%\{b36913b9-12df-03f6-b369-913b912d4ee4}\3.DAFTAR-LAMPIRAN--wahabkhoter.blogspot.com.docx.exe

File name: 3.DAFTAR-LAMPIRAN--wahabkhoter.blogspot.com.docx.exe
Size: 465.4 KB (465408 bytes)
MD5: 85242fee40a9a0bc3ce6c20f52050643
Detection count: 61
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\{b36913b9-12df-03f6-b369-913b912d4ee4}
Group: Malware file
Last Updated: July 2, 2016

%ALLUSERSPROFILE%\{841eeb9e-7320-6fb8-841e-eeb9e732ae79}\PROGRAMPEMBELAJARANKELAS4.docx.exe

File name: PROGRAMPEMBELAJARANKELAS4.docx.exe
Size: 846.84 KB (846848 bytes)
MD5: 7c87cdad5223b0ac9e1a5e2e5cc0d20f
Detection count: 41
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\{841eeb9e-7320-6fb8-841e-eeb9e732ae79}
Group: Malware file
Last Updated: July 2, 2016

7F9C454A2E016E533E181D53EBA113BC

File name: 7F9C454A2E016E533E181D53EBA113BC
Size: 846.84 KB (846848 bytes)
MD5: 7f9c454a2e016e533e181d53eba113bc
Detection count: 33
Group: Malware file
Last Updated: February 15, 2020

%USERPROFILE%\??????? ????\???\ready\Министерство образования и науки Кыргызской Республики1.docx.exe

File name: Министерство образования и науки Кыргызской Республики1.docx.exe
Size: 485.5 KB (485504 bytes)
MD5: 5bcb809524857f26a89ac67ffc80f6f5
Detection count: 31
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\??????? ????\???\ready
Group: Malware file
Last Updated: July 2, 2016

F:\Списывание.docx.exe

File name: Списывание.docx.exe
Size: 296.05 KB (296059 bytes)
MD5: b870f4a3f292452971628fcb54d9067e
Detection count: 23
File type: Executable File
Mime Type: unknown/exe
Path: F:
Group: Malware file
Last Updated: July 2, 2016

%USERPROFILE%\??? ?????????\Downloads\Резюме.doc.exe

File name: Резюме.doc.exe
Size: 493.56 KB (493568 bytes)
MD5: 12303bbfe7194fd4f0070cd4d1005209
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\??? ?????????\Downloads
Group: Malware file
Last Updated: July 2, 2016

КЫРГЫЗ РЕСПУБЛИКАСЫ сейчас КЫРГЫЗСКАЯ РЕСПУБЛИКА.docx.exe

File name: КЫРГЫЗ РЕСПУБЛИКАСЫ сейчас КЫРГЫЗСКАЯ РЕСПУБЛИКА.docx.exe
Size: 545.45 KB (545454 bytes)
MD5: acf9873c86e35b9bee0db158befe8163
Detection count: 16
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: July 2, 2016

%USERPROFILE%\Desktop\Тесты по модулю Пищеварительная система для студентов 2-курса факультета лечебное дело.docx.exe

File name: Тесты по модулю Пищеварительная система для студентов 2-курса факультета лечебное дело.docx.exe
Size: 3.99 MB (3998800 bytes)
MD5: 49115ff6fe4016169c24ff3783010321
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: July 2, 2016

%USERPROFILE%\Desktop\????? ?????\план части.docx.exe

File name: план части.docx.exe
Size: 305.09 KB (305099 bytes)
MD5: bac4daf1ba563a5fdd01691441cedc9b
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop\????? ?????
Group: Malware file
Last Updated: July 2, 2016

C:\$Recycle.Bin\S-1-5-21-1960731918-3399909957-3434517366-1000\$R803NKR.exe

File name: $R803NKR.exe
Size: 9.97 MB (9972789 bytes)
MD5: b8ebbc2a6001ff318e49e0ec679c185f
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: C:\$Recycle.Bin\S-1-5-21-1960731918-3399909957-3434517366-1000\$R803NKR.exe
Group: Malware file
Last Updated: October 12, 2023

E:\?? ?????????\Выписка из Протокола.docx.exe

File name: Выписка из Протокола.docx.exe
Size: 296.58 KB (296581 bytes)
MD5: 06dbb0786866ec652b12ddfcc204a735
Detection count: 4
File type: Executable File
Mime Type: unknown/exe
Path: E:\?? ?????????
Group: Malware file
Last Updated: July 2, 2016

More files