Remove OPdailyallowance Virus (Hidden Tear) and Restore .CRYPTR Files

Remove OPdailyallowance Virus (Hidden Tear) and Restore .CRYPTR Files

OPdailyallowance image ransomware note .CRYPTR extension

The OPdailyallowance Virus is a ransomware strain of the Hidden Tear family targeting computer users worldwide. The captured samples carry the initial infection commands, we presume that further updates to it may include newer components and additional instructions. Refer to our in-depth article for a technical analysis.

Threat Summary

NameOPdailyallowance virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts sensitive information on your computer system with the .CRYPTR extension and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with a strong encryption algorithm.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by OPdailyallowance virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss OPdailyallowance virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

OPdailyallowance – Distribution Ways

The OPdailyallowance virus is a recently discovered ransomware that appears to be based on an earlier sample of Fsociety which itself is part of the larger Hidden Tear family of threats. This means that it does contain a modular framework allowing it to be customized further and extended by the criminal operators. Specific versions can be made for each individual attack campaign.

As the OPdailyallowance virus is modular in nature it can follow both the traditional behavior patterns as other Hidden Tear based threats or follow other examples. So far it appears that the attacks target mainly English-speaking users which signal a global campaign. So far the security researchers have not uncovered a preferred or main delivery method, this shows that the criminals probably use several techniques.

A typical infection would begin by calling the data harvesting module which is programmed into harvesting strings that can be grouped into two main categories:

  • Private User Data — The OPdailyaallowance virus can expose the identity of the victims by looking out for strings such as the victims name, address, phone number, location, interests and any stored account credentials. The bulk of this data can be used to carry out both identity theft and financial abuse crimes.
  • Anonymous Data — The other major group of information that is harvested by the engine is used by the criminals to optimize the virus delivery. A common element is a report of the installed hardware components, certain operating system values and user settings.

To further spread the virus files the criminals can create infected download sites. They incorporate elements of famous web portals and vendor download sites in order to blackmail the victims into thinking that they have accessed a real and legitimate site. The hackers usually rely on certificates and similar sounding domain names.

Many Hidden Tear based viruses rely on infection via an infected payload carrier. There are two main type which are the most common:

  • Documents — Macros code can be embedded in documents of all types: rich text documents, spreadsheets, databases and presentations. Once they are opened by the victims a notification prompt will appear asking them to enable the built-in content. If this is done the infection will follow.
  • Application Installers — Virus infections can happen through the installation of malicious setup files. They can be acquired using the above-mentioned methods and are actually hacker-modified copies of the legitimate installers. The criminals take the real setup files of popular software that are frequently installed by end users: creativity suites, system utilities and productivity solutions.

To distribute these files the operators can use file sharing networks like BitTorrent. They are often used to spread pirate data however due to the fact that the virus files can take forms of documents and application installers, they can easily spoof user-uploaded content.

Advanced infections can be made by employing another delivery method via malicious web browser plugins, alternatively known as hijackers. They represent hacker-modified or created versions of plugins made for the most popular web browsers. They are imbued with the virus install code and uploaded to the relevant repositories using fake developer credentials and user reviews. Their descriptions often includes promises of new feature and enhancement of already existing ones. Once they are installed the built-in code will redirect the users to a hacker-controlled site and also deliver the OPdailyaallowance virus infection.

OPdailyallowance – In-Depth Analysis

The security analysis shows that the captured OPdailyallowance samples are customized versions of FSociety. The virus itself is part of the greater Hidden Tear family of threats.

It is very possible that the virus is made by an inexperienced hacker or criminal collective as the Hidden Tear source code is publicly available. It is also possible that this is an order made on the hacker underground markets.

Like previous samples that originate from this family it may follow the usual behavior pattern of beginning with an information extracting module. The built-in engine will automatically look for strings that can be of use to the operators. This can give the operators information about the users thereby exposing their identity. Information about them may include their name, address, phone number, interests, location and account credentials. Additional data that can be harvested may include a full report on the installed hardware components, user settings and operating system values. The bulk of the information can be used for crimes such as identity theft and financial abuse.

The stealth protection module can be called afterwards as it can use the information gathered to look for applications and services that can interfere with the encryption. This is done via a signature scan that monitors for any installed and running anti-virus programs, sandbox environments and virtual machines.

When these modules have completed running they will allow the virus to overtake full control of the infected machines. The OPdailyallowance virus engine will be able to spawn multiple threads, hook up to system processes and also gain access to administrative privileges.

Viruses typically access and modify the Windows Registry. When strings related to the operating system are changed then this can cause a drop in the overall system performance and stability. Modifications to user-installed applications can render certain functions non-working.

In certain cases the OPdailyallowance virus can also attain a persistent state of execution. This means that the ransomware main engine will be executed once the computer is powered on. Modifications to the system will be done to make sure that no process, service or application will interrupt it. An additional provision is the removal of access to the startup recovery menu — this also prevents most manual removal instructions from being used.

To make recovery more difficult the hackers can program the instances to also delete any identified Shadow Volume Copies and System Restore Points. This means that full system recovery will need to be done with a professional-grade solution, refer to our instructions for more details.

Threats like this one are also likely of being used to spread Trojans. The typical infection will connect to a hacker-controlled server and follow the instructions of the operators. This technique will allow the criminals to take over control of the computers, spy on the users and hijack their sensitive files – prior and after the ransomware engine has been activated. Trojans are also popular for distributing other threats as well.

As the engine used in this virus is modular it can be modified according to each attack campaign or a subset of criminals. Hidden Tear viruses can be extended into automating network attacks. This can be useful in planning large-scale infiltration attempts.

OPdailyallowance — Encryption

Once all components have executed correctly the ransomware engine will start. Like previous Hidden Tear based threats it will process files with a strong cipher based on a built-in list of target data. An example list includes the following file types:

  • Archives
  • Databases
  • Backups
  • Images
  • Videos
  • Music

All processed files will be renamed with the .CRYPTR extension. In addition there are three ransomware notes (text file variants) that are created in various folders and on the user’s desktop: INTRUCTION.html, PAYMENT !!!.txt and ATTANTION!!!.txt.

They will all display generic blackmail text that will manipulate the victims into paying the hackers a “decryption fee”.

Remove OPdailyallowance Ransomware Virus and Restore .CRYPTR Files

If your computer got infected with the OPdailyallowance ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share