A new piece of ransomware, dubbed CryptoFortress, has been reported by French malware researcher Kafeine a few days ago. The threat appears to be similar to the infamous TorrentLocker ransomware, but CryptoFortress is capable of encrypting files over network shares even in the cases when they are not mapped to a drive letter.
CryptoFortress – Infiltration and Encryption Process
The CryptoFortress ransomware is distributed via spam email messages, fake Flash updates, rogue media players, etc.
Once active, the infection starts encrypting all files on the compromised machine by adding a .ftrtss extension and demands a ransom of one Bitcoin (approximately US$300) for their decryption. The victim is allowed to decrypt two files up to 500kb as proof that the rest of the files will be restored as soon as the required fee has been paid. Even though this is supposed to serve as a guarantee that you will have your data back, experts recommend against paying the ransom because this way you support cyber criminals in their malicious activities.
The best way to protect your system against ransomware infections is to keep your anti-virus solutions updated and back up your files on a regular basis. Never download attachments to emails sent from unknown sources and carefully choose the websites you download software from. Keep in mind that P2P networks can also be used to bundle CryptoFortress with other files.
The CryptoFortress ransomware employs AES encryption to encrypt the following types of files: .blob, .rar, .doc, .odb, .cas, .esp, .pdf, .lvl, .gdb, .asset, .wma, .avi, .txt, .m3u, .mcgame, .png, .jpeg, etc.
In order to erase all Shadow Volume Copies so that the victim would be unable to restore the data from them, CryptoFortress issues the following command:
→vssadmin delete shadows /all /quiet
The Ransom Message
Upon successful infiltration and after encrypting the victim’s data, CryptoFortress creates a file – READ IF YOU WANT YOUR FILES BACK.html. The ransom note provides the user with detailed instructions on how the payment should be handled. The message contains links to a TOR C&C server where the victim can find the address the ransom must be sent to.
What Makes CryptoFortress Different Than Other Ransomware?
The known ransomware infections so far have been retrieving a list of drive letters on the affected machine and then encrypt the files on them. So, network shares on one and the same network would be secure as soon as they aren’t mapped to a drive letter. What makes CryptoFortress unique is the fact that the threat also tries to enumerate the open network SMB shares, and then encrypt the ones found. CryptoFortress’ new ability is yet another reason to secure your shared folders properly.
There is no doubt that encrypting non-mapped network shares turns CryptoFortress into a huge problem for network administrators. From now on, backup strategies will include the use of drive rotation, which automatically makes cloud backups the preferred option if you want to keep your files away from ransomware.
How To Remove CryptoFortress from Your PC?
The current analysis shows that no tools so far are capable of decrypting the files affected by CryptoFortress. The manual bellow will help you remove CryptoFortress by entering your computer in Safe Mode, however, your compromised data will remain encrypted.
This article will be updated as soon as reliable information about the decryption process is issued.
Spy Hunter FREE scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool. Find Out More About SpyHunter Anti-Malware Tool