A ransomware named CryptoBit was found by Panda Security Researchers a few days ago. Files with around 100 extensions are locked with an AES key, and then encrypted with an RSA algorithm. The ransom demands a payment of one Bitcoin within the first day after encryption. Every day that passes with the ransom left unpaid will increase the price with a Bitcoin more. To remove the ransomware and see if you can restore your files, you should carefully read this article.
|Short Description||The ransomware encrypts files with a mixture of AES and RSA algorithms and asks a ransom to be paid in BitCoins for decryption.|
|Symptoms||Files for archives and storage, images, databases, and documents will get encrypted and become inaccessible. A ransom message with instructions for paying is created.|
|Distribution Method||Targeted Emails, Exploit Kits|
|Detection tool||Download Malware Removal Tool, to See If Your System Has Been Affected by CryptoBit|
|User Experience||Join our forum to discuss CryptoBit.|
CryptoBit Ransomware – Delivery
CryptoBit ransomware can infect you in a number of ways. The current and most effective delivery method for it is through Exploit Kits.
The first attacks are reported to have happened the beginning of April. Other delivery methods for this ransomware are not excluded. Malicious attachments containing the malware found in spam or targeted emails might occur as well. The sole body of such emails might contain malicious code too.
Your computer might get infected from similar malicious files and exploit kits delivered by social networks and services for file sharing. CryptoBit is still a new ransomware. So, visiting websites that you don’t know or clicking on suspicious links might also get the infection started.
CryptoBit Ransomware – Description
The CryptoBit malware is classified as ransomware. Panda Security researchers discovered it in their in their PandaLabs a couple of days ago. After infection, your computer will be scanned for files to be encrypted. The ransomware searches to encrypt files from office documents to whole databases. A possibility after infection is for CryptoBit to make registry entries with the aim to auto-load upon every start of Windows.
CryptoBit could be able to be reverse-engineered, researchers say, as it has a unique pattern in the way it encrypts files. The ransomware looks similar to Salam! ransomware or at least uses the same ransom note. The only difference in the note is that the malware creators left an alternative way of being contacted.
The note containing the message with instructions for contacting the cyber criminals is named HEY!. You can see it down here:
You are given a unique ID. The instructions read:
Your ID: 32489981
Hi. Your files are now encrypted. I have the key to decrypt them back.
I will give you a decrypter if you pay me. If you pay me today, the price is only 1 bitcoin.
If you pay me tomorrow, you will have to pay 2 bitcoins. If you pay me one week later the price
will be 7 bitcoins and so on. So, hurry up.
Contact me using this email address: firstname.lastname@example.org
If you don’t get a reply or if the email dies, then contact me using Bitmessage:
download it form here
Run it, click New Identity and then send me a message at BM-NBvzKEY8raDBKb9Gp1xZMRQpeV5svwg2
The ransomware makers have put a price for decryption in the first 24 hours for 1 Bitcoin. If the payment conditions are not met, the price will grow with 1 Bitcoin for each passing day, after the given deadline. The price for 1 Bitcoin is the equivalent of 447 US dollars at this moment.
Intending to pay the ransom and contacting the ransomware creators is NOT recommended. In that way, there could be no guarantee that you will get your files back. Paying up would only support the cyber crooks and their criminal actions. They might even get motivated to make a stronger variant of their product.
The CryptoBit ransomware is recorded to search files for encryption with around 100 different file extensions. The encryption process is very peculiar – it locks all files with a single AES 256-bit key. After that, the key itself is encrypted with an RSA-4096 algorithm.
Still unknown is whether the ransomware deletes Shadow Volume Copies from Windows. Apart from reading the removal instructions written below, you should check out the tips given in this forum topic about ransomware and how you can prevent it from working and infecting your PC.
Remove CryptoBit Ransomware and Restore Encrypted Files
If CryptoBit ransomware infected you, you should have at least some experience in removing malware. The ransomware can encrypt all of your files. So, it is highly recommended that you act and follow the step-by-step instructions provided below.