Crypto-SweetTooth Ransomware
Posted: January 16, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 5/10 |
---|---|
Infected PCs: | 95 |
First Seen: | January 16, 2017 |
---|---|
OS(es) Affected: | Windows |
The CryptoSweetTooth Ransomware is a Trojan that blocks your files by enciphering them through an algorithm such as the AES-128. Although the symptoms of the CryptoSweetTooth Ransomware infections are easily identifiable, the fact that your data may not be decryptable afterward causes malware experts to stress using preventative security protocols whenever practical. If those steps are insufficient, use standard anti-malware tools to remove the CryptoSweetTooth Ransomware and seek assistance from reliable cyber security resources on unlocking your files.
The Sweet Side of Hidden Tear
Threat actors without any interest in developing custom code for their file-encrypting threats continue turning to cheaply available black hat resources, with Hidden Tear being one of the largest, decentralized families to date. The CryptoSweetTooth Ransomware is one of the newest Trojans spotted in the group. It uses common social engineering tactics to gain system access and, then, locks all your files until you pay the Bitcoin fee it demands.
File data for its installers and executables leads malware analysts to at least two disguises: a fake Bitcoin generator app and a fake adult video file. The latter uses the traditional trap of a fake WMV extension hiding the real EXE one. When it launches, the CryptoSweetTooth Ransomware runs through a payload that's common to most versions of Hidden Tear, as follows:
- The Trojan uses an AES-based algorithm to encipher your files in the directories the threat actor specifies, such as Documents, Downloads or Users. It then uploads the key that the user needs to decrypt and unlock them to a server under the threat actor's control.
- The CryptoSweetTooth Ransomware also may modify your files' names by inserting secondary extensions, such as the '.locked' tag that also is being used by some Hidden Tear variants.
- When it finishes locking your files, the CryptoSweetTooth Ransomware places a text message on your desktop. This note asks for you to make a Bitcoin payment in return for the con artist's decryption help, with the use of the cryptocurrency guaranteeing that you can't cancel the charge (even if you receive no assistance).
Keeping Your Files from Developing Cavities
Enabling visible file extensions can help you identify a CryptoSweetTooth Ransomware installer that's pretending to be something other than what it is; meanwhile, scanning downloads with anti-malware utilities can detect most threats of this type without issue. One aspect of mild interest in the CryptoSweetTooth Ransomware's campaign is its choice of disguises. Fake video files lend themselves more to torrents and other, unsafe download habits than the usual 'fake work document attached to an e-mail' that most threat actors prefer using. Also of note is that malware analysts only are seeing ransoming messages from the CryptoSweetTooth Ransomware in Spanish, making either Europe or South America the most likely target regions for this threat.
There are free decryptors for Hidden Tear that malware experts recommend using for data recovery for any victims who can't restore their encrypted content from a backup. However, PCs with active anti-malware protection should delete the CryptoSweetTooth Ransomware before this threat can finish blocking any significant amount of content. As a Trojan with a firm foundation in previously-analyzed code, the CryptoSweetTooth Ransomware has low evasion rates against most brands of anti-malware security products.
Hoping that the black hat sector will relax its exploitation of ripe Trojan-construction resources would appear to be in vain, with the CryptoSweetTooth Ransomware being just one of many variants of Hidden Tear already making names for themselves in the new year.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.