CryptPKO Ransomware

Posted: July 30, 2015

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	8/10
Infected PCs:	44

First Seen:	July 30, 2015
Last Seen:	May 6, 2023
OS(es) Affected:	Windows

CryptPKO is a ransomware threat that will lock files on your computer and demand a fee in return for a decryption key. This type of malware infects through a Trojan that is embedded in an email attachment or a third party program, and it is one of the most dangerous threats out there. CryptPKO has been around since late 2014 and belongs to the Crypto Ransomware family. The malware is also known as Crypt.pko, while similar threats are CTB Locker and CrypVault.

CryptPKO Takes Your Data for Hostage

As soon as it infects your computer, CryptPKO will scan your hard drive to find and encrypt files that look user-specific, so you may expect that all your personal data contained in files of any format will be affected. CryptPKO can be distinguished by the way it interacts with its victims. It does not choose the more elaborate way in which the ransom note involves a user interface for automated communication and payment. Instead, CryptPKO drops a text document named 'HOW TO DECRYPT FILES.txt' on the desktop that displays the ransom note upon opening. The ransom note can also appear as a lock screen message when you start your computer.

The note states that all files on your computer are encrypted because you broke the law. In the note, the malware will ask you to visit a page named http://plc.lixter.com and if this site is not working it will advise you to email stoppiracy@email.su. You will be given five attempts to enter the code, if unsuccessful the malware threatens that your data will be irreversibly lost. In some cases, CryptPKO can also ask the victim to transfer BitCoins in the amount of 0.619 to the following address: 198tX7NmLg6o8qcTT2Uv9cSBVzN3oEozpv. The note also gives an ID of 8 symbols to be entered on the above site in order to proceed with the payment of the ransom.

Some researchers claim that makers of CryptPKO do not care much about privacy as they ask victims to visit a web page that is not even SSL-protected. Other reports show this page is usually offline and, just like with other ransomware threats, infected users will have to send an email to the cyber criminals in order to receive the instructions. Also, they will have to download the Tor browser as the site indicated in the ransom note cannot be reached with any other browser. Extorted amounts depend on the geographic location and the type of victim, yet the usual ransom is around $500.

CryptPKO Infects Through Drive-By Downloads or Spoof Emails

When the malware infects through the so-called 'drive-by download' technique, the malicious file is hidden within a pop-up window with a dialog box that prompts you to install a legit update of your Flash, Java or any other legal software installed on your computer. The other way of infecting with CryptPKO is through spam emails and in this case security experts believe hackers use botnet computers from which they send the emails with the malicious attachments. Botnets are a worldwide network of computers controlled by hackers and used by them to send spoof emails. Such emails disguise the real name of the sender and make the message appear as if it comes from a trustworthy source, like a big online retailer, a financial institution or even a government authority. Using social engineering tools, hackers will try to fool you into opening the email and downloading the attachment that carries the malware's Trojan.

CryptPKO Uses Typical Encryption Methods But Adds Its Own Marks

CryptPKO adds the extensions .i2dzqu or .i8xmgq to the infected files, making them unrecognizable for your operating system. The encryption affects between 2048 and 4096 bits of the file and infected files could also look like this: 'document.docx.fd2342412'. CryptPKO uses strong encryption algorithm like RSA-2048, and the private key that is required for the decryption of the data is stored on the hackers' server.

If your are infected with CryptPKO, you will notice multiple suspicious *32 processes running in your Task Manger. The malware sets deep in your system and looks very sustainable. It makes keys in the Windows Registry under HKEY_CLASSES_ROOT section, like CryptPKO.CrpytPKO.1 and CryptSig.CryptSig.1:
""="CryptPKO Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptPKO.CryptPKO"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CryptPKO.CryptPKO.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptPKO Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptPKO Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptPKO.CryptPKO"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptPKO.CryptPKO"
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWpm
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain "Default_Page_URL"
HKEY_LOCAL_Machine\Software\Classes\[CryptPKO Ransomware]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\[CryptPKO Ransomware].

The malware will create files in your "Temporary Files", "Applications Data"and "User Profiles" folders. These files can look like this:

%Temp%\CryptPKO.exe
%Appdata%\CryptPKO.reg
%Systemroot%\CryptPKO\[Random].exe
%Localappdata%\[Random].dll
%Homepath%\[Random].bat
%Allusersprofile%\[Random].ini
%Windir%\SysWOW64\[Random].dll
%CommonProgramFiles%\CryptPKO.ini
%Homedrive%\CryptPKO\[Random].exe
%Windir%\System32\drivers\[Random].sys
%Windir%\System32\[Random].dll
%Systemroot%\System32\[Random].dll

The malware can also create a "C:\ProgramFiles\CryptPKO Ransomware" folder, yet this could be hidden or look like a normal folder so that you may not be able to recognize it.

You can also find CryptPKO as an extension or an add-on to your browser where the malware could appear under names like "CouponsHelper", "FVD Video Downloader", "Searchqu Toolbar", or "PageRank Status". Further on, it can show up as "Fortop FLV Player" on the list of your installed programs.

Additional Symptoms and Dangers of the CryptPKO Infection

CryptPKO Ransomware can hijack the homepage on your default browser and redirect your searches to various unsafe and questionable URLs. It also can flood browsers with tons of pop-ups that will compromise the performance of your system, leading even to sudden crashes, conflicts between your other installed programs and general slowing down of your machine.

A huge number of spam emails with potentially harmful content in your Inbox could also be the results of CrypPKO's presence and activities. Overall, the malware should be immediately removed from your PC as it can also prevent Windows from installing the latest security updates, and your third-party anti-virus software from working properly. All these are factors that make your system vulnerable to all possible cyber threats.

Paying the ransom by no means guarantees the recovery of your data, while manual removal could be complicated if you are not an advanced PC user. Therefore, a professional malware removal tool should be your first choice for dealing with the matter.