CryptPKO Ransomware

CryptPKO Ransomware Description

CryptPKO is a ransomware threat that will lock files on your computer and demand a fee in return for a decryption key. This type of malware infects through a Trojan that is embedded in an email attachment or a third party program, and it is one of the most dangerous threats out there. CryptPKO has been around since late 2014 and belongs to the Crypto Ransomware family. The malware is also known as Crypt.pko, while similar threats are CTB Locker and CrypVault.

CryptPKO Takes Your Data for Hostage

As soon as it infects your computer, CryptPKO will scan your hard drive to find and encrypt files that look user-specific, so you may expect that all your personal data contained in files of any format will be affected. CryptPKO can be distinguished by the way it interacts with its victims. It does not choose the more elaborate way in which the ransom note involves a user interface for automated communication and payment. Instead, CryptPKO drops a text document named 'HOW TO DECRYPT FILES.txt' on the desktop that displays the ransom note upon opening. The ransom note can also appear as a lock screen message when you start your computer.

The note states that all files on your computer are encrypted because you broke the law. In the note, the malware will ask you to visit a page named http://plc.lixter.com and if this site is not working it will advise you to email stoppiracy@email.su. You will be given five attempts to enter the code, if unsuccessful the malware threatens that your data will be irreversibly lost. In some cases, CryptPKO can also ask the victim to transfer BitCoins in the amount of 0.619 to the following address: 198tX7NmLg6o8qcTT2Uv9cSBVzN3oEozpv. The note also gives an ID of 8 symbols to be entered on the above site in order to proceed with the payment of the ransom.

Some researchers claim that makers of CryptPKO do not care much about privacy as they ask victims to visit a web page that is not even SSL-protected. Other reports show this page is usually offline and, just like with other ransomware threats, infected users will have to send an email to the cyber criminals in order to receive the instructions. Also, they will have to download the Tor browser as the site indicated in the ransom note cannot be reached with any other browser. Extorted amounts depend on the geographic location and the type of victim, yet the usual ransom is around $500.

CryptPKO Infects Through Drive-By Downloads or Spoof Emails

When the malware infects through the so-called 'drive-by download' technique, the malicious file is hidden within a pop-up window with a dialog box that prompts you to install a legit update of your Flash, Java or any other legal software installed on your computer. The other way of infecting with CryptPKO is through spam emails and in this case security experts believe hackers use botnet computers from which they send the emails with the malicious attachments. Botnets are a worldwide network of computers controlled by hackers and used by them to send spoof emails. Such emails disguise the real name of the sender and make the message appear as if it comes from a trustworthy source, like a big online retailer, a financial institution or even a government authority. Using social engineering tools, hackers will try to fool you into opening the email and downloading the attachment that carries the malware's Trojan.

CryptPKO Uses Typical Encryption Methods But Adds Its Own Marks

CryptPKO adds the extensions .i2dzqu or .i8xmgq to the infected files, making them unrecognizable for your operating system. The encryption affects between 2048 and 4096 bits of the file and infected files could also look like this: 'document.docx.fd2342412'. CryptPKO uses strong encryption algorithm like RSA-2048, and the private key that is required for the decryption of the data is stored on the hackers' server.

If your are infected with CryptPKO, you will notice multiple suspicious *32 processes running in your Task Manger. The malware sets deep in your system and looks very sustainable. It makes keys in the Windows Registry under HKEY_CLASSES_ROOT section, like CryptPKO.CrpytPKO.1 and CryptSig.CryptSig.1:
""="CryptPKO Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptPKO.CryptPKO"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CryptPKO.CryptPKO.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptPKO Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptPKO Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptPKO.CryptPKO"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptPKO.CryptPKO"
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWpm
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain "Default_Page_URL"
HKEY_LOCAL_Machine\Software\Classes\[CryptPKO Ransomware]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\[CryptPKO Ransomware].

The malware will create files in your "Temporary Files", "Applications Data"and "User Profiles" folders. These files can look like this:

  • %Temp%\CryptPKO.exe
  • %Appdata%\CryptPKO.reg
  • %Systemroot%\CryptPKO\[Random].exe
  • %Localappdata%\[Random].dll
  • %Homepath%\[Random].bat
  • %Allusersprofile%\[Random].ini
  • %Windir%\SysWOW64\[Random].dll
  • %CommonProgramFiles%\CryptPKO.ini
  • %Homedrive%\CryptPKO\[Random].exe
  • %Windir%\System32\drivers\[Random].sys
  • %Windir%\System32\[Random].dll
  • %Systemroot%\System32\[Random].dll

The malware can also create a "C:\ProgramFiles\CryptPKO Ransomware" folder, yet this could be hidden or look like a normal folder so that you may not be able to recognize it.

You can also find CryptPKO as an extension or an add-on to your browser where the malware could appear under names like "CouponsHelper", "FVD Video Downloader", "Searchqu Toolbar", or "PageRank Status". Further on, it can show up as "Fortop FLV Player" on the list of your installed programs.

Additional Symptoms and Dangers of the CryptPKO Infection

CryptPKO Ransomware can hijack the homepage on your default browser and redirect your searches to various unsafe and questionable URLs. It also can flood browsers with tons of pop-ups that will compromise the performance of your system, leading even to sudden crashes, conflicts between your other installed programs and general slowing down of your machine.

A huge number of spam emails with potentially harmful content in your Inbox could also be the results of CrypPKO's presence and activities. Overall, the malware should be immediately removed from your PC as it can also prevent Windows from installing the latest security updates, and your third-party anti-virus software from working properly. All these are factors that make your system vulnerable to all possible cyber threats.

Paying the ransom by no means guarantees the recovery of your data, while manual removal could be complicated if you are not an advanced PC user. Therefore, a professional malware removal tool should be your first choice for dealing with the matter.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to CryptPKO Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Posted: July 30, 2015
Threat Metric
Threat Level: 8/10
Infected PCs 27
Home Malware Programs Ransomware CryptPKO Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.