Home Malware Programs Ransomware GrodexCrypt Ransomware

GrodexCrypt Ransomware

Posted: June 5, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 7
First Seen: June 5, 2017
OS(es) Affected: Windows

The GrodexCrypt Ransomware is a remake of a previous Trojan, the Crypt888 Ransomware, that modifies the victim's UI while keeping the original encryption attacks that let it block your files. Victims may remedy this file-locking behavior by recovering through backups or freeware after resolving the infection. Delete the GrodexCrypt Ransomware with dedicated anti-malware products, when possible, and before it starts encrypting anything on your PC ideally.

Covering Elderly Trojans with Splashes of Paint

The value in aesthetics is something that even the programmers of threatening software know all too well and is one of many aspects that they can use to trick a victim into doing what they want. However, a new look doesn't always imply new attacks; with Trojans like the GrodexCrypt Ransomware, the threat actor is doing little more than changing the shallowest parts of the program. Users who can divorce the symptoms they see from the tactics needed to resolve these attacks can avoid problems like being on the losing side of extortion.

Most of the GrodexCrypt Ransomware's code is identical to that of the old Crypt888 Ransomware, a Trojan that uses encryption for locking files on your PC. Such attacks tend to target documents, spreadsheets, pictures, and other content that are commonly used but not required by the operating system. Encrypting these files makes them illegible without a corresponding decryption that the GrodexCrypt Ransomware's author withholds for ransom.

The most significant contribute to this updated version of the Trojan is the GrodexCrypt Ransomware's new ransoming message, which uses an advanced HTML pop-up. Features malware analysts note within the message include:

  • The GrodexCrypt Ransomware places its ransom payments on a two-day timer before, supposedly, deleting your encrypted media and the decryption key.
  • The GrodexCrypt Ransomware uses an e-mail-based ransom negotiating method while asking for no more than 50 USD in Bitcoins, raising the chances of casual PC users being the intended targets of its attacks.
  • The user can interact with some elements of the window, including a FAQ button and a more detailed payment button. The GrodexCrypt Ransomware's wallet address also uses an editable field, which is a hallmark of RaaS or Ransomware-as-a-Service Trojans.

The Trouble of Covering Old Age with New Beauty

The GrodexCrypt Ransomware's new threat actor has put some effort into making the Trojan look like a fresh, original program. However, the GrodexCrypt Ransomware's payload, including its encryption method, is identical to those in previous use by old threats. This detail is important, due to the high chance that free decryption software will be able to unlock any files that the GrodexCrypt Ransomware attacks. Malware analysts also note that no signs of the GrodexCrypt Ransomware are apparent including further features to destroy 'your whole computer,' as its ransoming message asserts.

Samples of the GrodexCrypt Ransomware are using names to pretend to be Windows components to hide after other threats install them.The GrodexCrypt Ransomware may bundle itself with free downloads, obscure its installation vehicle in an e-mail attachment, or use the drive-by-downloads of a Web page's exploit kit to compromise your computer. Keep your anti-malware programs patched and active to help them detect and remove the GrodexCrypt Ransomware during the installation attempt instead of after it encodes any of your content.

The cost of taking a Trojan's word in blind faith is always high, both monetarily, and for your security. Don't let new-looking Trojans like the GrodexCrypt Ransomware dictate how you respond to their fundamentally derivative strategies.