Cryptolocker.AB is a Ransomware Trojan horse of the Cryptolocker family. It searches for files with many different extensions, encrypts them with a “.crinf” extension, then asks for a huge ransom for decryption. It can delete Shadow Volume Copies, disable Windows Startup Repair, and end important system processes.
|Short Description||The Cryptolocker.AB Trojan horse locks the user’s important files and demands a payment. From the CryptoLocker Ransomware family|
|Symptoms||Files are locked in a ‘.crinf’ file format and a ransom message is displayed. Payment instructions are included in a file.|
|Distribution Method||Distribution method is not yet clear. It can be distributed through browsing unsafe sites, malicious email attachments, drive-by downloads, etc.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Cryptolocker.AB Ransomware|
|User Experience||Join our forum to discuss the CryptoLocker.AB Ransomware.|
Cryptolocker.AB Ransomware – How Did I Get It?
There are a number of ways you could get infected with Trojans such as the Cryptolocker.AB Ransomware.
The most common distribution method is known to be through malicious email attachments and spam emails. There are even cases, where an email itself also contains malicious code and upon opening the email, the user infects its computer with it, even if he doesn’t open the attachment inside.
Around social networks and file sharing services there may be similar attachments and files containing the Cryptolocker.AB Ransomware, disguised as something else.
Another common way of getting infected with Ransomware is through exploit kits run from legitimate websites. For exploit kits to run, these websites must have been compromised, to have some sort of a security breach. Also, landing suspicious sites with malicious code on them may just as easily get you infected.
Cryptolocker.AB Ransomware – In Detail
The Cryptolocker.AB Trojan horse is also classified as Ransomware. The known file extensions which the newer variant from the Cryptolocker family seeks to encrypt are:
→.3dm .3ds .3fr .3g2 .3gp .7z .ACCDB .ach .ai .aiff .arw .asf .asx .avi .back .backup .bak .BAY .bin .blend .c .cdr .cer .cpp .cr2 .crt .crw .cs .dat .db .DBF .dcr .dds .DER .des .dit .DNG .doc .docm .DOCX .dtd .dwg .DXF .dxg .edb .eml .eps .ERF .fla .flac .flvv .gif .groups .h .hdd .hpp .html .iif .INDD .java .jpe .JPEG .jpg .jsp .kdc .key .kwm .log .lua .m .m2ts .m4p .m4v .max .mdb .mdf .MEF .mkv .mov .mp3 .mp4 .mpeg .mpg .MRW .msg .nd .ndf .nef .nk2 .nrw .nvram .oab .obj .ODB .odc .odm .ODP .ods .odt .ogg .orf .ost .P12 .p7b .P7C .pab .pas .pct .pdb .PDD .pdf .PEF .pem .pfx .php .pif .pl .png .pps .ppt .PPTM .pptx .prf .ps .PSD .pst .PTX .pwm .py .qba .qbb .qbm .qbr .qbw .qbx .qby .qcow .qcow2 .qed .R3D .raf .RAW .rm .rtf .rvt .rw2 .rwl .safe .sav .sql .SR2 .SRF .srt .srw .stm .svg .swf .tex .tga .thm .tlg .vbox .vdi .vhd .vhdx .vmdk .vmsd .vmx .vmxf .vob .wav .WB2 .wma .wmv .wpd .wps .X3F .XLK .xlr .XLS .xlsb .xlsm .xlsx .yuv
After files with any of the above extensions are found and encrypted, the Ransomware appends a “.crinf” extension, to the back of the name of each file. Afterwards, the Ransomware Trojan deletes all Windows Shadow Volume Copies and disables Windows Startup Repair, preventing restoration of any files that are backed-up in this way.
Then, the Cryptolocker.AB Trojan may end the following processes on the PC:
That is also very dangerous, because that disables many options for the user to do modifications via System editor programs, Startup settings, Registry rules and etc. The user may not be able to gain much information about the malicious program, let alone delete all of its files without that information.
The following remote location is being set, to which the Cryptolocker.AB Trojan connects:
After all these actions are set and done, while users may not even notice them, the Ransomware makes itself known. It changes the desktop wallpaper on the compromised computer and displays a message box with a ransom note and instructions on how to pay the ransom.
The initial price is 500$, and it doubles after only 12 hours. Do NOT pay it in absolutely ANY circumstance! There is no telling if the cyber criminals will even contact you back, let alone give you any decryption key.
All of the actions performed by the Cryptolocker.AB Ransomware are very dangerous as they can allow it to stay as long as possible on your computer and lock as much files as it can. You should remove it immediately, as it may continue to encrypt more files if left on your machine!
Remove Cryptolocker.AB Ransomware Completely
To completely remove the Cryptolocker.AB Ransomware Trojan from your computer, you should have at least minimal experience in removing viruses. It is highly recommended to first to back up all of your personal files that you value, no matter if it is encrypted. Afterwards, carefully follow the instructions provided here:
After its removal, you might try recovering your files, using backups from an external device or cloud if you made such backups in the past. Another option is to try using decryptors that have worked with previous versions of the Cryptolocker Ransomware family, but know that the encryption of this version might be stronger!