CryptoWire Ransomware

The CryptoWire Ransomware is a Trojan most likely developed as a proof of concept experiment to educate security researchers on the functions of file-encrypting threats. Although its author has limited critical aspects of its ransom features to prevent its abuse by con artists, the CryptoWire Ransomware does contain a variety of potentially damaging attack features when it's launched on unprotected PCs. Follow standard anti-malware procedures for uninstalling the CryptoWire Ransomware in cases where its presence is unintended or misapplied.

A Trojan Missing Its Most Important Parts

The motivations behind designing Trojans aren't always as threatening as the software, itself. Although some software developers choose to design such programs to educate others on their capabilities, these projects sometimes are put to unintended purposes, such as the numerous variants of EDA2 and Hidden Tear-based threats. The CryptoWire Ransomware is another file encrypting Trojan of a similar origin that, hopefully, can avoid this consistency of exploitation by con artist hands.

The CryptoWire Ransomware is an AutoIT-based Trojan that lacks an administration panel for being controlled by remote attackers. Another, meaningful exclusion by its author is a missing UI option for purchasing its decryption key, although most other options, including the decryption feature, are present. In kind with similar Trojans, the CryptoWire Ransomware displays these features and its extortion message after encrypting your data and blocking files arbitrarily. The CryptoWire Ransomware uses the unusually strong AES-256 algorithm for this purpose, and malware experts find it capable of targeting popular cloud service storage, network-accessible drives and peripheral devices.

The CryptoWire Ransomware's payload also includes a variety of potentially threatening attacks that aren't in widespread use among most live-deployed threats, such as:

• The CryptoWire Ransomware uses a domain check to determine whether or not the infected PC is a personal machine or a corporate one. If the latter, it multiplies the demanded ransom fee by ten.
• Old file data that could help restore encrypted content is overwritten multiple times before being deleted permanently, including the Recycle Bin.
• The CryptoWire Ransomware targets files according to a variable size limit, instead of targeting data by what extension is in use. This change in attack implementation places the CryptoWire Ransomware in a position to do much more damage to a PC or entire network than most file encryptor Trojans.
• The Trojan's payload also includes limited spyware features for unknown reasons, such as keylogging (the feature of recording your typed keystrokes to a log).

Keeping the Might of Threat Education on Your Side

Because of its selective omission of necessary components that are mandatory for a real threat campaign, the CryptoWire Ransomware is not likely to be deployed in the wild without seeing additional work by a talented threat developer. On the other hand, if an individual executes it unintentionally, the CryptoWire Ransomware can be a source of extremely widespread data loss through its indiscriminate data-encoding attacks. Affected PC owners may, first, wish to see if the CryptoWire Ransomware's built-in decryption feature functions in their version of the Trojan before taking other actions.

Like other file encrypting Trojans, regardless of why they were programmed, removing the CryptoWire Ransomware is a task you should delegate to any available anti-malware software. Accidental or mismanaged installations of the CryptoWire Ransomware do have the potential to damage your operating system and its startup repair features, which may require booting from an external device (most commonly, your USB drive).

One might hope that the CryptoWire Ransomware will see a bright future for informing interested parties on the payloads of these threats without providing con artists with new tools. However, based on the patterns already seen with threats like the numerous spin-offs of Hidden Tear, history is not on the CryptoWire Ransomware's side.

Update November 14th, 2018 — Cryptre Ransomware

The Cryptre Ransomware is a variant of the CryptoWire Ransomware, a proof-of-concept project that demonstrates file-locking and ransoming. Since the Cryptre Ransomware is threatening to your PC's contents as any other file-locker Trojan equally, you should protect any critical data by backing it up and avoiding traditional security issues that could provoke infections, such as using weak network passwords. A majority of anti-malware programs should eliminate the Cryptre Ransomware safely and minimize any encryption issues.

An Elderly Family of Threats Refuses to Succumb to Old Age

The relatively small family of file-locking Trojans going by the name of CryptoWire Ransomware is experiencing new interest from threat actors since its first releases, years ago. The Cryptre Ransomware is several months more current than the other versions that malware experts took note of since the original threat's appearance, such as the HAHAHA Ransomware, the KingOuroboros Ransomware, the UltraLocker Ransomware and the misleadingly-named WanaCry4 Ransomware. Its payload, however, shows few adjustments for making it any less threatening to your files.

The source of the Cryptre Ransomware's code is an AutoIT program that's 'open source,' and, therefore, available to threat actors indiscriminately. Previous campaigns deploy minor variants of it around the world, such as in Brazil, although the infection exploits are flexible. Even though the Cryptre Ransomware, like other the CryptoWire Ransomware updates, uses a standard, AES encryption routine for locking files, there is no decryption solution available for free.

After it locks the document, picture or other media type, the Cryptre Ransomware inserts '.encrypted' extensions between the filename's main text and the original extension. The Cryptre Ransomware also creates a pop-up that it shares between both its family and other, unrelated file-locker Trojans, which displays a UI with a list of the hostage media, a Bitcoin-purchasing button and the decryption or unlocking feature. Victims should ignore the ransoming option for the decryptor, as long as they have any other means of recovering the files and be aware of the possibility of the Cryptre Ransomware's author taking the money without providing a key.

The Least Safe Windows Update You can Get

The Cryptre Ransomware's executable uses the generically-appropriate tactic of pretending that it's an update for Windows, which may be making its presence on the PC seem less notable or serve the extra purpose of tricking users into launching it. Fake Windows patches are a prominent sub-category of malvertising on unsafe ad networks. Malware experts recommend disabling advertisements, pop-ups and scripted content, like JavaScript, for improving one's Web-browsing safety against these social engineering attacks, and always download their software updates from an appropriate, company-endorsed site.

Besides the immediate problem of illegible files, the Cryptre Ransomware includes an additional feature for keylogging or recording your keyboard input to a log that it uploads to the threat actor's C&C server. Such attacks are responsible for collecting information, in most cases, although its use for a file-locker Trojan is less straightforward. Users should have a professional anti-malware tool delete the Cryptre Ransomware, restore any files from their backups, and re-secure any credentials by standardized means, such as changing all passwords.

Even though the CryptoWire Ransomware is old news, its attacks retain some relevance to the modern cyber-security landscape. Users who aren't backing their files up are putting themselves at risk, not just from every new Trojan, but from modest updates of old ones, too.