A new piece of ransomware, dubbed CryptoFortress, has been reported by French malware researcher Kafeine a few days ago. The threat appears to be similar to the infamous TorrentLocker ransomware, but CryptoFortress is capable of encrypting files over network shares even in the cases when they are not mapped to a drive letter.
CryptoFortress – Infiltration and Encryption Process
The CryptoFortress ransomware is distributed via spam email messages, fake Flash updates, rogue media players, etc.
Once active, the infection starts encrypting all files on the compromised machine by adding a .ftrtss extension and demands a ransom of one Bitcoin (approximately US$300) for their decryption. The victim is allowed to decrypt two files up to 500kb as proof that the rest of the files will be restored as soon as the required fee has been paid. Even though this is supposed to serve as a guarantee that you will have your data back, experts recommend against paying the ransom because this way you support cyber criminals in their malicious activities.
The best way to protect your system against ransomware infections is to keep your anti-virus solutions updated and back up your files on a regular basis. Never download attachments to emails sent from unknown sources and carefully choose the websites you download software from. Keep in mind that P2P networks can also be used to bundle CryptoFortress with other files.
The CryptoFortress ransomware employs AES encryption to encrypt the following types of files: .blob, .rar, .doc, .odb, .cas, .esp, .pdf, .lvl, .gdb, .asset, .wma, .avi, .txt, .m3u, .mcgame, .png, .jpeg, etc.
In order to erase all Shadow Volume Copies so that the victim would be unable to restore the data from them, CryptoFortress issues the following command:
→vssadmin delete shadows /all /quiet
The Ransom Message
Upon successful infiltration and after encrypting the victim’s data, CryptoFortress creates a file – READ IF YOU WANT YOUR FILES BACK.html. The ransom note provides the user with detailed instructions on how the payment should be handled. The message contains links to a TOR C&C server where the victim can find the address the ransom must be sent to.
What Makes CryptoFortress Different Than Other Ransomware?
The known ransomware infections so far have been retrieving a list of drive letters on the affected machine and then encrypt the files on them. So, network shares on one and the same network would be secure as soon as they aren’t mapped to a drive letter. What makes CryptoFortress unique is the fact that the threat also tries to enumerate the open network SMB shares, and then encrypt the ones found. CryptoFortress’ new ability is yet another reason to secure your shared folders properly.
There is no doubt that encrypting non-mapped network shares turns CryptoFortress into a huge problem for network administrators. From now on, backup strategies will include the use of drive rotation, which automatically makes cloud backups the preferred option if you want to keep your files away from ransomware.
How To Remove CryptoFortress from Your PC?
The current analysis shows that no tools so far are capable of decrypting the files affected by CryptoFortress. The manual bellow will help you remove CryptoFortress by entering your computer in Safe Mode, however, your compromised data will remain encrypted.
This article will be updated as soon as reliable information about the decryption process is issued.
Spy Hunter FREE scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool. Find Out More About SpyHunter Anti-Malware Tool
- Guide 1: How to Remove CryptoFortress from Windows.
- Guide 2: Get rid of CryptoFortress from Mac OS X.
How to Remove CryptoFortress from Windows.
Step 1: Boot Your PC In Safe Mode to isolate and remove CryptoFortress
Step 2: Uninstall CryptoFortress and related software from Windows
Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it.
Step 3: Clean any registries, created by CryptoFortress on your computer.
The usually targeted registries of Windows machines are the following:
You can access them by opening the Windows registry editor and deleting any values, created by CryptoFortress there. This can happen by following the steps underneath:
Step 4: Scan for CryptoFortress with SpyHunter Anti-Malware Tool
Step 5 (Optional): Try to Restore Files Encrypted by CryptoFortress.
Ransomware infections and CryptoFortress aim to encrypt your files using an encryption algorithm which may be very difficult to decrypt. This is why we have suggested a data recovery method that may help you go around direct decryption and try to restore your files. Bear in mind that this method may not be 100% effective but may also help you a little or a lot in different situations.
If the above link does not work for you and your region, try the other two links below, that lead to the same product:
Get rid of CryptoFortress from Mac OS X.
Step 1: Uninstall CryptoFortress and remove related files and objects
1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:
- Go to Finder.
- In the search bar type the name of the app that you want to remove.
- Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
- If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.
In case you cannot remove CryptoFortress via Step 1 above:
In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:
You can repeat the same procedure with the following other Library directories:
Tip: ~ is there on purpose, because it leads to more LaunchAgents.
Step 2: Scan for and remove CryptoFortress files from your Mac
When you are facing problems on your Mac as a result of unwanted scripts and programs such as CryptoFortress, the recommended way of eliminating the threat is by using an anti-malware program. Combo Cleaner offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.
Step 3 (Optional): Try to Restore Files Encrypted by CryptoFortress on your Mac.
Ransomware for Mac CryptoFortress aims to encode all your files using an encryption algorithm which may be very difficult to decode, unless you pay money. This is why we have suggested a data recovery method that may help you go around direct decryption and try to restore your files, but only in some cases. Bear in mind that this method may not be 100% effective but may also help you a little or a lot in different situations.