Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


CryptPKO Description And Removal

Name CryptPKO
Type Ransomware, Trojan
Short Description CryptPKO encrypts significant user files, demanding most likely financial compensation ransom from the victim.
Symptoms Encrypted files such as ‘document.docx.fd2342412’ that cannot be opened and ‘HOW TO DECRYPT FILES.txt’ object on the user desktop.
Infection Method Via spam/spoof emails, using botnet computers. Via physical access to the PC. Via downloads from the internet.
Detection tool Download SpyHunter, to See If Your System Has Been Affected By CryptPKO

cryptpko-ransomwareCryptPKO is regarded as a Ransomware Trojan that encrypts important files and deploys HOW TO DECRYPT.txt file on the victim PC’s desktop. This dangerous threat may be distributed via many methods, main of which are via email, downloads from redirects or MITM attacks. This type of malware is very dangerous, and security officials report that in the .txt file there are ransom demands to decrypt the data along with contacts. Experts strongly advise against complying with the attackers’ terms and not to communicate with them by any means.

How Did I Get CryptPKO?

Cyber criminals have become very smart in how they infect computers. Their attacks have become targeted mainly towards businesses and organizations. FBI have reported an estimate of 18 million dollars in losses from such attacks. Black hat hackers are believed to use botnets, which are networks of computers worldwide that are under their control, i.e. ‘zombie’ PCs. Via those, hackers conduct their attacks, mainly through spoof emails. This type of mail disguises the sender’s address, making it look like someone known to the recipient, increasing the likelihood of infection.

Once infected, the attacker may have full control over every move the victim does on the computer. However most attackers may tend to break connection with the victim PCs so that they cannot be traced back by law enforcement. Another method of infection from this hideous threat is man-in-the-middle type of attacks. In some cases, the attacker may physically install ransomware on an unmonitored computer in an organization.

What Does CryptPKO Do?

This ransomware is reported to encrypt mostly documents and other files, changing the name of the file as shown:

→document.docx to document.docx.i2dzqu

After which, it deploys a text document on the desktop of the PC with the following text:

→Attention !!! You broke the law !! All your files are encrypted !!
To restore your files visit http://plc.lixter.com if the site is not working, please write to email stoppiracy@email.su Your id f3424452
You have 5 attempts to enter the code. Above this
limit, all the data irreversibly deteriorate.

From this point, the files of the user that have been changed are not accessible via any software. They have been encrypted most likely with an encryption ranging from 2048 to 4096 bits. This kind of encryption is not an easy one to break if you do not have the proper decrypting software. In some cases, the files may even be replaced with other encrypted data and the original information could be stored only in the attackers’ hard drives.

After scanning the registries of an infected computer with CryptPKO security researchers have displayed in forums which registry keys and values were associated with this threat.

→ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CryptPKO.CryptPKO.1] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C717-39BF-11D1-8CD9- 00C04FC29D45}\VersionIndependentProgID] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CryptSig.CryptSig.1] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C719-39BF-11D1-8CD9- 00C04FC29D45}\VersionIndependentProgID] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]

Security experts strongly advise against manually removing any objects associated with CryptPKO ransomware, because they may initiate a script that will delete their files and, therefore, lose them

CryptPKO Ransomware Removal And Decryption

In case you have this ransomware installed on your computer, it is highly recommended not to comply with the ransom demands in any way and to seek immediately professional help. First, you should swiftly disconnect your equipment. After that, it is recommended to reboot the PC in Safe mode and download a reputable anti-malware program on a non-infected PC. You may use a USB flash drive to transfer the installer of the anti-malware program to your Safe Mode booted PC. After which it is advisable to scan your computer, and the anti-malware will remove any files associated with this ransomware.

IMPORTANT: Transfer a copy of the encrypted files to another USB flash drive before attempting any removals.

Also, here are easy step-by-step instructions to enable the Microsoft Windows Defense feature to backup your files and have the ability to restore them immediately to an earlier state before their encryption:

1) Download a particular anti-malware scanner and remove the CryptPKO files from the computer.

2) Open Properties by right-clicking on My Computer and then choosing it.

properties (1)

3) Open Advanced System Settings

advanced-system-settings

4) Go to System Protection.

configure-protection-290x300
5) Mark the HDD partition on which you have necessary files, and you want to defend.

6) Click Configure and then click on Turn On System Protection.

7) Click OK and you are all set

After you have this protection switched on, if something happens to your data, you may be able to restore them, using those steps:

1) Right-Click the encrypted file and then choose Properties.

2) Click the Previous Versions button.

3) At this point, you should see an earlier version of the file with a ‘last modified’ date.

4) Mark the file with the mouse and then choose the down-right button that says Restore.

IMPORTANT:

If your files were previously encrypted, this software might leave some files, such as registry values and others on your system. This is why, recommendations are to download a particular anti-malware program that will ensure your protection and terminate any traces of the malicious software.

donload_now_250
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.