The newest CryptoNar Virus sample has been uncovered in a new attack campaign encrypting target user data with the .CryptoNar extension. The captured samples appear to be early test versions of it. Our article provides an overview of the virus operations and it also may be helpful in attempting to remove the virus.
|Short Description||The ransomware encrypts sensitive information on your computer system with the .CryptoNar extension and demands a ransom to be paid to allegedly recover them.|
|Symptoms||The ransomware will encrypt your files with a strong encryption algorithm.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by CryptoNar virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss CryptoNar virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
CryptoNar Virus – Distribution Ways
The CryptoNar virus samples are being distributed using an attack campaign that utilizes several different methods. The captured strains are relatively low in number and do not researchers an indication of the main method. We presume that the criminals are going to use the most popular tactics in active campaigns.
A common technique is the coordination of email SPAM campaigns that use various social engineering tricks. The main goal of the hackers is to coerce the targets into interacting with the malicious elements that lead to the virus infections. The messages in most cases appear as legitimate notifications, password reminders and other emails that are commonly sent by Internet services and companies that the users may interact with. The virus files may be directly attached or linked in the body contents.
The criminals can also craft fake download pages which are counterfeit copies of the real vendor pages and Internet portals. To facilitate a higher number of infected computers the malicious users may use various scripts — redirects, pop-ups, ads, banners and in-line links.
These two methods are the main tactics for spreading infected payload carriers. There are two main types that are most commonly used to spread ransomware such as the CryptoNar virus:
- Macro-Infected Documents — The criminals can create numerous documents of different types (text files, presentations, databases and spreadsheets) that contain macros leading to the virus infection. Whenever they are opened by the target users a notification prompt will appear asking them to enable the built-in code.
- Application Installers — Code that can activate a CryptoNar virus infection may be embedded in installers for updates, applications or plug-ins.
These files can also be found on various file sharing networks such as BitTorrent. They are often used to access illegal and pirate content.
Advanced cases can integrate the threat in browser hijackers (redirects) that are made for the most popular web browsers. They represent dangerous extensions that pose as useful additions and are spread on the official repositories and various third-party sites. Their typical behavior is to modify the settings of the affected web browsers and redirect the users to a hacker-specified address. After this is done the virus infection will follow.
CryptoNar Virus – In-Depth Analysis
The security reveals that the CryptoNar virus may contain some code from a previous infection known as CryptoJoker. It is possible that the code is a customized version of the former or that the hackers have used some parts of its code. The fact that a common behavior pattern is used showcases that the threat is probably being ordered and/or used by an inexperienced hacker or criminal collective.
Typical ransomware infections begin with an information harvesting module. It is programmed by the attackers to automatically acquire information that can be further processed by the criminals. It can harvest personal information that can expose the identity of the users. This is done by looking out for strings containing their name, address, phone number, location or any stored account credentials.
In other cases the collected data can be used for attack optimizations. It allows the criminals to generate statistics for the most common type of infected computers. The collection includes a report on the installed hardware components, user-set settings and certain operating system conditions.
The whole database of collected strings can then be further processed by another component to protect the CryptoNar virus from being discovered. A scan of the infected system will be made looking for signs of installed applications and services that can interfere with the proper malware engine execution. The list includes any anti-virus programs, virtual machine hosts and debug environments.
Once the ransomware has taken over the system it can proceed with other operating system modifications as programmed by its operators. A common technique is to program Windows Registry changes — they seek to manipulate both the operating system strings and those belonging to the user-installed software. As a result the victims will face severe performance issues or the inability to access certain features. The creation of strings associated with the threat can be combined with boot menu changes. This will lead to the installation of the CryptoNar virus as a persistent threat. This means that the malicious engine will automatically start every time the computer is powered on. It can also disable access to the recovery menu which can make manual removal instructions useless.
To make recovery more difficult the engine can also delete System Restore Data, including all System Restore Points and any identified Shadow Volume Copies. This means that effective restore of infected files is possible only with a professional-grade solution. Refer to our instructions for more information.
Advanced infections can deliver a Trojan infection which allows the criminal operators to take over control of the infected hosts. This is done by setting up an encrypted connection with a hacker-controlled server. When it is active the operators can take over control of the systems, retrieve any file and also deploy additional threats.
CryptoNar Virus — Encryption
The CryptoNar virus uses the typical ransomware approach of utilizing a built-in list of target file type extensions. A strong cipher is used to process them, the end goals is to coerce the victim users into paying the criminals a “decryption fee”. A typical process list may include the following data types:
As a result all processed data will be renamed with the .CryptoNar extension. Two subtypes have been identified — .partially.CryptoNar and .fully.CryptoNar. The ransomware note is created in a file called CryptoNar RECOVERY INFORMATION.txt. It reads the following message:
Your important files including photos, videos, documents, databases, etc. were encrypted with our CryptoNar ransomware. The only way to get your files back is to pay us. otherwise, your files will be lost forever. Important note: Removing CryptoNar will not restore access to your encrypted files. Encryption was made using a unique RSA-2048 public key generated for this computer. To decrypt files you need to acquire the private key (decryption key). The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet; the server will eliminate the key after 72 hours since its generation (since the moment your computer was infected). once this has been done, nobody will ever be able to restore your files. In order to receive your decryption key, you will have to pay $200 in bitcoins to this bitcoin address: 1FeutvrveiF8odnnx9Rr3cyBfFiecFeKwRq when time comes to send the bitcoins to us, make sure to include your e-mail and your personal ID (you can see it below) in the extra information box (it may apper also as ‘Extra Note or ‘optional message’) in order to get your personal decryption key. It may take up to 6-8 hours to take your personal decryption key. After the payment was made, and you received your decryption key, just press the decryption button in the decryptor (located on the desktop). Enter your decryption key you received, and wait until the decryption process is done. Your ID: [redacted]
Some versions also employ an application frame with the title Crypto Nar 1.0 which also displays the note.
Remove CryptoNar Virus and Restore Encrypted Files
If your computer system got infected with the CryptoNar Virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.