CryptoLockerEU Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Ranking: | 7,065 |
| Threat Level: | 20 % (Normal) |
| Infected Computers: | 1,304 |
| First Seen: | January 5, 2017 |
| Last Seen: | September 21, 2023 |
| OS(es) Affected: | Windows |
The CryptoLockerEU Ransomware is a ransomware Trojan that labels itself as the CryptoLockerEU 2016. The CryptoLockerEU Ransomware encrypts its victims' files and then adds the extension '.send 0.3 BTC crypt' to the end of each file's name, making it easy to see which files have been compromised. This is one of the first cases of the CryptoLockerEU Ransomware including the ransom amount in the file extension used to mark affected files. The CryptoLockerEU Ransomware delivers its ransom note in the form of a text file that may show up as 'ĐŔŃŘČÔĐÎÂŔŇÜ ÔŔÉËŰ.txt' or as 'РАСШИФРОВАТЬ ФАЙЛЫ,' depending on whether the victim's version of Windows can display Cyrillic characters. This file's named translates as 'DECRYPT FILES.txt' and contains the CryptoLockerEU Ransomware's ransom note. Malware analysts strongly advise computer users to avoid paying the CryptoLockerEU Ransomware's ransom. Instead, the CryptoLockerEU Ransomware should be removed completely, and affected files should be restored from a backup copy. It is possible that malware analysts will release a decryption utility for the CryptoLockerEU Ransomware eventually.
Table of Contents
How the CryptoLockerEU Ransomware may be Distributed
The most common way of distributing the CryptoLockerEU Ransomware is through corrupted email attachments. The email messages used to distribute the CryptoLockerEU Ransomware have been observed to have some of the following subject lines:
'Upgrade to Windows 10 for Free.
Claim the free iTunes tracks now.
You have lost access to your PayPal funds.
Your flight status has been confirmed.
Someone wants to add you on LinkedIn.'
The emails are designed to trick computer users into opening an attached file or clicking on an embedded link under a variety of tactics. Because of this, one of the best ways to prevent the CryptoLockerEU Ransomware and other threats is always to avoid opening unsolicited email attachments or clicking on links in these kinds of emails. A strong anti-spam filter also can prevent these corrupted email messages from reaching the victim in the First place.
Tjhe Poor Implementation of the CryptoLockerEU Ransomware
Since the CryptoLockerEU Ransomware is a relatively new threat, PC security researchers have not released a lot of information about it. However, it is likely that the people responsible for the CryptoLockerEU Ransomware attack are relatively inexperienced, since many aspects of the CryptoLockerEU Ransomware are poorly implemented, particularly its ransom note. As soon as the CryptoLockerEU Ransomware is installed, it begins encrypting the victim's files. The CryptoLockerEU Ransomware searches for the following file types during its attack, encrypting each of these files using a strong encryption algorithm:
.7z .rar .m4a .wma .avi .wmv .csv .d3dbsp .sc2save .sie .sum .ibank .t13 .t12 .qdf .gdb .tax .pkpass .bc6 .bc7 .bkp .qic .bkf .sidn .sidd .mddata .itl .itdb .icxs .hvpl .hplg .hkdb .mdbackup .syncdb .gho .cas .svg .map .wmo .itm .sb .fos .mcgame .vdf .ztmp .sis .sid .ncf .menu .layout .dmp .blob .esm .001 .vtf .dazip .fpk .mlx .kf .iwd .vpk .tor .psk .rim .w3x .fsh .ntl .arch00 .lvl .snx .cfr .ff .vpp_pc .lrf .m2 .mcmeta .vfs0 .mpqge .kdb .db0 .DayZProfile .rofl .hkx .bar .upk .das .iwi .litemod .asset .forge .ltx .bsa .apk .re4 .sav .lbf .slm .bik .epk .rgss3a .pak .big .unity3d .wotreplay .xxx .desc .py .m3u .flv .js .css .rb .png .jpeg .txt .p7c .p7b .p12 .pfx .pem .crt .cer .der .x3f .srw .pef .ptx .r3d .rw2 .rwl .raw .raf .orf .nrw .mrwref .mef .erf .kdc .dcr .cr2 .crw .bay .sr2 .srf .arw .3fr .dng .jpe .jpg .cdr .indd .ai .eps .pdf .pdd .psd .dbfv .mdf .wb2 .rtf .wpd .dxg .xf .dwg .pst .accdb .mdb .pptm .pptx .ppt .xlk .xlsb .xlsm .xlsx .xls .wps .docm .docx .doc .odb .odc .odm .odp .ods .odt.
Below is the full text of the CryptoLockerEU Ransomware's ransom note, which itself is written in English despite that the file's name is in Russian:
'CryptoLockerEU 2016 rusia
Your important liles encryption produced on this computer:photos,videos,document,etc.
Encryption was produced using a RSA-2045bit !!
To Obtime the private key for this computer, which will automatically
decrypt files, you have to send 0.3 BTC to bitcoin adres 14bPTE6DVpx8Vrzk1wt3M8XsJ5YU3ebzKo
You will receive your private key + software within 2 hours.
You have just 7 days before the private key (password) is deleted
https://www.coinbase.com/buy-bitcoin
https://cex.io/buy-bitcoins
– transfer 0.3 BTC 14bPTE6DVpx8Vrzk1wt3M8XsJ5YU3ebzKo
VIRUS ID: {CUSTOM ID}
– on add email
– we send password + software decrypt (now)
– Messengers verification emal – Payments email (bitcoin)
Send : virus id+Bitcoin payment (verification)
decryptme.files@mail.ru
europol.eurofuck@yandex.com
super.decryptme2016@yandex.com
efwerez2015@yandex.com'
URLs
CryptoLockerEU Ransomware may call the following URLs:
| windowsdetector.com |
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.