Cryptobyte Ransomware

Cryptobyte Ransomware Description

The Cryptobyte Ransomware is a file encoder Trojan that was released with a massive spam campaign in the third week of April 2017. Computer security researchers recognize the Cryptobyte Ransomware as an updated build of the CryptXXX (a.k.a. BTCWare) Ransomware, which we have reported back in March 2016. The Cryptobyte Ransomware joins threats like the Microsoft Decryptor Ransomware and the CrypMIC Ransomware that are based on CryptXXX. Evidently, the Cryptobyte Ransomware is aimed at users who run Windows 7, 8.1 and 10 (32-bit and 64-bit releases). Computer users may come into contact with the Trojan by opening spam emails and loading text documents from unknown senders. The Cryptobyte Ransomware is classified as a mid-tier crypto-threat that uses customized AES and RSA ciphers to lock data on computers. We have seen the Cryptobyte Ransomware create the following directory to host its files:

“C:\MSOCache\All Users\{90140000-0012-0000-0000-0000000FF1CE}-C”

The encrypted files may be represented in the Windows Explorer as blank icons and feature a marker that is placed by the Cryptobyte Ransomware. Computer security researchers reported that the threat is known to use the '.[btc.com@protonmail.ch].cryptobyte' and '.[no.xm@protonmail.ch].cryptobyte' markers. Depending on the version that has compromised your PC, a file such as 'Cute Capybara.png' may be renamed to 'Cute Capybara.png.[no.xm@protonmail.ch].cryptobyte.' The Trojan may run as 'FOTOLOOK ...exe,' and 'fotomeker.exe' and users may notice that data containers in the following formats are encrypted:

.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.

The ransom note is loaded as an INF file named '#_HOW_TO_FIX.inf,' which can be found in:

“C:\MSOCache\All\Users\{90140000-0012-0000-0000-0000000FF1CE}-C\#_HOW_TO_FIX.inf”

The note reads:

'All your files have been encrypted
If you want to restore them, write us to the e-mail: no.xm@protonmail.ch
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
FREE DECRYPTION AS GUARANTEE
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
end their total size must be less than 10Mb
Attention! Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
Your ID:
[RANDOM CHARACTERS]'

Unfortunately, the encryption procedure is secure, and users have no way of recovering their data unless they have backup images and archives that are not affected by the Cryptobyte Ransomware. The threat is designed to delete its traces on the infected PC and is likely to mark the following files for deletion:

%USERPROFILE%\Desktop\0x411\BTCWare\btcw\Release\btcw.pdb
"C:\FOTOLOOK ...exe" marked "C:\FOTOLOOK ...exe" for deletion
"C:\FOTOLOOK ...exe" marked "C:\MSOCache\All Users\{90140000-0012-0000-0000-0000000FF1CE}-C\Office64WW.xml" for deletion
"C:\FOTOLOOK ...exe" marked "C:\MSOCache\All Users\{90140000-0012-0000-0000-0000000FF1CE}-C\ose.exe" for deletion
"C:\FOTOLOOK ...exe" marked "C:\MSOCache\All Users\{90140000-0012-0000-0000-0000000FF1CE}-C\osetup.dll" for deletion
"C:\FOTOLOOK ...exe" marked "C:\MSOCache\All Users\{90140000-0012-0000-0000-0000000FF1CE}-C\OWOW64WW.cab" for deletion
"C:\FOTOLOOK ...exe" marked "C:\MSOCache\All Users\{90140000-0012-0000-0000-0000000FF1CE}-C\PidGenX.dll" for deletion
"C:\FOTOLOOK ...exe" marked "C:\MSOCache\All Users\{90140000-0012-0000-0000-0000000FF1CE}-C\setup.exe" for deletion
"C:\FOTOLOOK ...exe" marked "C:\MSOCache\All Users\{90140000-0012-0000-0000-0000000FF1CE}-C\Setup.xml" for deletion
"C:\FOTOLOOK ...exe" marked "C:\MSOCache\All Users\{90140000-0012-0000-0000-0000000FF1CE}-C\StandardWW.xml" for deletion

The procedure is intended to hinder AV vendors that attempt to build a virus signature and limit the distribution and the operations of the Cryptobyte Ransomware. It is understandable if you are considering to write no.xm@protonmail.ch or btc.com@protonmail.ch and ask for help. However, we do not encourage users to contact the cyber extortionists because you may lose your money and files on the same day. It is best to clean the machines affected by the Trojan with the help of a reputable anti-malware scanner for maximum security. AV tools may detect the files linked to the Cryptobyte Ransomware and display warnings that include the following names:

  • Gen:Variant.Zusy.232805
  • Ransom:Win32/Betisrypt.A
  • Ransom_BTCWARE.F117DI
  • TR/AD.RansomHeur.wdblv
  • Trojan-Ransom.Win32.Blocker.jzju
  • Trojan.Win32.Filecoder
  • Trojan/Win32.TSGeneric
  • W32/Trojan.MXGR-3653

Infected with Cryptobyte Ransomware? Scan Your PC for Free

Download SpyHunter's Spyware Scanner
to Detect Cryptobyte Ransomware
* SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?


Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Site Disclaimer

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 2 + 7 ?