This article aims to help you remove CRYPTO-BLOCKER ransomware and restore files that have been encrypted with the .corrupted file extension.
The .corrupted file encryption malware, known as CRYPTO-BLOCKER was detected at the beginning of May 2017. The virus encrypts the files on the infected computers and adds it’s custom file extension – .corrupted to the encrypted files. The .corrupted file virus then demands from victims the sum of 10 dollars or euros for 5 hours in order to restore encrypted files. In case your computer has been infected by this ransomware virus it is recommended to read this article carefully.
Threat Summary
| Name | CRYPTO-BLOCKER |
| Type | Ransomware |
| Short Description | The .corrupted ransomware encrypts files on your computer system and it shows a ransom note, demanding 10 USD or EUR to be paid in 5 hours. |
| Symptoms | This ransomware virus will encrypt your files and place the .corrupted extension on each one of them. |
| Distribution Method | Spam Emails, Email Attachments |
| Detection Tool | See If Your System Has Been Affected by CRYPTO-BLOCKER Download Malware Removal Tool | User Experience | Join Our Forum to Discuss CRYPTO-BLOCKER. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
CRYPTO-BLOCKER – How Does Infect
The distribution process of .corrupted file ransomware is performed in multiple methods. The primary method of those may be via e-mail spam messages. Such junk e-mail may contain convincing statements that aim to get potential victims to open e-mail attachments or click on web links that lead to malicious sites. In both chases the victim is deceived that it is of utmost importance to open the document, similar to what the example below displays:
After the victim opens the malicious file, the infection by CRYPTO-BLOCKER is inevitable, meaning that the virus will drop the malicious files on the victim’s computer, including the malicious executable, detected in VirusTotal to be the following:
Other methods by which this infection process can take place is if the malicious file is directly uploaded on Torrent websites in an archive, posing as a key generator, part of a game installation or other license activators.
.corrupted Ransomware – In-Depth
Once .corrupted ransomware has caused an infection of the victim’s computer, multiple different files, including it’s main Crypto-Blocker.exe file may be dropped on various Windows folders:
- %AppData%
- %Roaming%
- %Local%
- %LocalLow%
After the files are dropped on the victim’s computer, one of them may create a registry value to run the encryption process on system boot. The targeted Windows registry key for this may be the following:
→“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run”
After this has been performed, the CRYPTO-BLOCKER .corrupted ransomware infection may additionally delete the shadow copies to eliminate chances of restoring your files via programs via System Restore or shadow explorer software:
→vssadmin.exe delete shadows /all /Quiet
.corrupted File Virus – Encryption Process
For the encryption of this virus to be executed, it takes advantage of one very particular encryption algorithm, widely used by ransomware makers – the Advanced Encryption Standard also known as AES cipher.
In addition to this, the ransomware virus also targets very specific files for encryption. For this variant, CRYPTO-BLOCKER may look for the following files to encrypt them:
“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN”
After it detects that files with the above-mentioned types are present on the computer, the ransomware encrypts blocks of data of those files, making them non-readable. The files appear like the following:
In addition to adding the .corrupted file extension to the data, the ransomware also drops the following ransom note, named “CRYPTO-BLOCKER ENCRYPT YOUR FILES!”:
Hello, {User}
This is the hacker company, we encrypt all your personal files (OS, Documents, Images,…)
This program is actually a ransomware, you’ve been hacked !
If you want to keep your PC alive, please pay 10 (dollars, euros, pounds, you choose the money type)
After paying, get your decryption key, this virus close by itself.
If you didnt pay after 5 hours then… your PC will crash or maybe unusable.
YOU HAVE 5 HOURS!
Type code here:
Remove CRYPTO-BLOCKER and Revert .corrupted Files
Before actually proceeding with the removal process of this ransomware infection, the CRYPTO-BLOCKER encrypted files should be copied onto another drive, just in case.
Then, we recommend following the instructions below in order to get rid of this ransomware virus’ files. For maximum effectiveness when removing CRYPTO-BLOCKER, we recommend focusing on removing the virus automatically with an advanced anti-malware software. This will ensure the full removal of this infection plus the future protection of your system with active support.
In case you are not willing to pay the 10 dollars or euros ransom, you can try restoring your files, by following the alternative tools for file recovery in step “2. Restore files encrypted by CRYPTO-BLOCKER” below. They are not likely to restore all of your files, but most of them may surely be recovered.
