Cryptoshocker, carrying a name familiar to the notoroious Cryptolocker has recently started causing problems more and more often. The .locked file extension is added and an extremely powerful encryption cipher has been used to encode users’ files. Infected users are extorted to pay the hefty sum of 200 dollars in BitCoins to the cyber-crimials. This is done by using anonymous Tor networking communication. Everyone infected should not pay any ransom and wait for a decryptor to be released by malware researchers in the near future (we will post a web link here if it has been created).
In the meantime it is strongly advised to remove the ransomware and try alternative methods for file restoration, like the ones in this article.
Stay tuned with this article for more information about the ransomware to come.
|Short Description||The ransomware encrypts files with the AES cipher and asks a ransom payment of 200$ for decryption.|
|Symptoms||Files are encrypted and become inaccessible. The .locked extension is added. The ransomware drops an “Attention.url” file on the desktop of the user which contains payoff conducting instructions.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
See If Your System Has Been Affected by Cryptoshocker
Malware Removal Tool
|User Experience||Join our forum to Discuss Cryptoshocker Ransomware.|
Cryptoshocker Ransomware’s Distribution Methods
Such infections may be spread via URLs, which are featured in the body of spammed e-mail messages. The messages are usually disguised as a convincing service or product users are usually registered in. When the user opens the malicious URL, he or she may experience a so-called browser redirect which can lead successful infection.
Cryptoshocker Ransomware In Detail
As soon as it`s launched in the victim`s computer, Cryptoshocker may employ a malicious executable on several usually targeted Windows locations:
- %User’s Profile%
- %My Documents%
The file may be obfuscated and it’s name may resemble a legitimate Windows service or be completely random, for example:
After being dropped, the file belonging to Cryptoshocker may begin to encrypt files with a powerful AES cypher. At this moment it is not clear as to what strength of AES has been used by Cryptoshocker’s creators but it is widely believed that its strenght may vary from 128 to 512 bit encryption. An RSA cipher may be used to encrypt the AES decryption key and send it to the cyber-criminal’s servers by connecting to them. The encrypted types of files by Cryptoshocker may be:
- Audio files.
- Database files.
The ransomware may not encrypt Windows key files for obvious reasons, which makes its removal possible. After encryption, Cryptoshocker adds the .locked file extension, for example:
- New Text Document.txt.locked
After being added, Cryptoshocker drops the following file on %Desktop%:
It leads the user to a website with ransom demands:
Text: “Your files are locked. You must deposit the specified ammount of BitCoin into the address provided below.”
Remove Cryptoshocker and Try To Restore Encrypted Files
In order to remove this ransomware virus from your computer, we strongly urge you to try using the removal instructions we have posted below. If you fail to follow the manual instructions or if you simply wish maximum effectiveness, it is recommended to follow the Automatic removal guide.
To restore your files, at the moment there is no direct solution. However, we will post an update at the beggining of this article as soon as researchers make a breaktrough. In the meantime you may try to restore a small portion of your data using the alternative methods in step “3. Restore files encrypted by Cryptoshocker” below. They may not be 100 percent effective but in some situations may work.
Manually delete Cryptoshocker from your computer
Note! Substantial notification about the Cryptoshocker threat: Manual removal of Cryptoshocker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.