CryptoWire Ransomware

The CryptoWire Ransomware is being distributed for free on Github as a 'proof of concept' of ransomware. However, a working version of the CryptoWire Ransomware was easy to download and implement. The CryptoWire Ransomware is being offered for 'educational' purposes. This supposed educational approach had failed numerous times before with other, similar threats, which were simply adapted by con artists to carry out attacks on unsuspecting computer users.

The CryptoWire Ransomware Utilizes Windows Services to Attack Computers

The CryptoWire Ransomware is created using AutoIt and runs as a script on the victim's computer. The CryptoWire Ransomware will use Windows services such as bcdedit.exe and rundll32.exe to carry out its attack while bypassing security software detection. These features have the potential of making other ransomware that such as the CryptoWire Ransomware, are written using AutoIt, to become very popular among threat distributors. The CryptoWire Ransomware uses an advanced encryption algorithm, the AES-256, to encrypt the victim's files and prevent them from accessing their data. The CryptoWire Ransomware will avoid the following directories when carrying out its encryption on the victim's computer:

• AppData
• Program Data
• Program Files
• Program Files (x86)
• Windows

The CryptoWire Ransomware will encrypt all files on the victim's computer, including files in network folders, removable memory devices connected to the infected computer and all local drives. The CryptoWire Ransomware also will target files contained in shared folders and similar locations. This makes the CryptoWire Ransomware substantially more threatening than many other ransomware Trojans that do not have this capability. The CryptoWire Ransomware encrypts absolutely everything, without any exceptions, as long as it is not contained in one of the folders listed above. The CryptoWire Ransomware also takes steps to make sure that its attack is permanent. The CryptoWire Ransomware deletes all shadow volume copies and backup images and re-writes them ten times, which makes them inaccessible permanently. This is a considerably thorough attack for a ransomware Trojan that supposedly only functions as a 'proof of concept.'

The CryptoWire Ransomware does not change the targeted files' extension, unlike other ransomware Trojans. The CryptoWire Ransomware will deliver all information about the attack to a remote server. The CryptoWire Ransomware will corrupt the boot file, preventing startup repair and enabling the CryptoWire Ransomware to run automatically when Windows starts up. The CryptoWire Ransomware displays the following message in an error message:

'Your files has been safely encrypted
The only way you can recover your files is to buy a decryption key
The payment method is Bitcoins. The price is $200 = 0.2909 Bitcoins'

The text under which the CryptoWire Ransomware is being distributed on GitHub says:

'the CryptoWire - A advanced prof of concept ransomware project without a panel, to prevent skids from abusing it.
Compile : Requires autoit version: v3.3.14.2
Open source: http://ge.tt/1uQXLoa2
Encryption algoritm is AES 256.
The ransomware will encrypt all files stored on: Network drives, Network Shares, Usb Drives/sticks, Externals Disks, Internal Disks, Games (Steam), Onedrive, Dropbox, Google Drive (any cloud service that is running on the machine).
It encrypts all files It's not extension based. The max file size limit is 30 mb, you can change that if you want. The reason is to keep the performance high, while targetting most files.
All shadow copies are being permanently deleted upon execution.
The old non-encrypted files are being overwritten 10 times, and then deleted permanently. Only the encrypted files will be left back. The recyclebin is being overwritten 10 times and deleted permanently as well.
It will avoid heuristic detections by calculating different math algorithms.
Persistence startup.
Machine Domain check. If the victims pc is joined to a domain (company machine) the ransom will be 10x bigger (you can change that).'

Regardless of the authors' supposed efforts to make an 'Educational Malware,' it is very clear that efforts have been made to make the CryptoWire Ransomware as powerful as possible. Computer users should take steps to protect their computers from this threat, as well as backing up all files on a device that will not remain connected to the backed up system.

Update December 13th, 2018 — Cryptre Ransomware

The Cryptre Ransomware is an encryption ransomware Trojan that was first observed on December 13, 2018. The Cryptre Ransomware is a variant of CryptoWire, a known ransomware Trojan that was analyzed previously. The Cryptre Ransomware has several variants, all belonging to the CryptoWire Ransomware family. The Cryptre Ransomware carries out a typical encryption ransomware attack, taking the victim's files hostage to demand a ransom payment from the victim.

How the Cryptre Ransomware Trojan Attacks a Computer

The Cryptre Ransomware uses a strong encryption algorithm to make the victim's files inaccessible, targeting a wide variety of the user-generated files in its attack, which may include various documents, media files, databases, configuration files and other file types. An exemplification of the data that threats like the Cryptre Ransomware target in these attacks may include:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The Cryptre Ransomware will be delivered to the victims by using corrupted spam email attachments, often utilizing embedded macro scripts to download and install the Cryptre Ransomware onto the victim's computer. Once the Cryptre Ransomware has been installed, the Cryptre Ransomware will use the AES encryption to make the victim's files inaccessible and mark each compromised file by adding the file extension '.encrypted' to the file's name. The Cryptre Ransomware's attack delivers a ransom note in the form of a program note named 'Crypte,' which contains the following text message:

'Your files has been safely encrypted
Encrypted files: [random number]
[list of addresses of encrypted files]
[Buy Bitcoins|BUTTON] [Decrypt Files|BUTTON] [TEXT BOX FOR THE DECRYPTION KEY]
The only way you can recover your files is to buy a decryption key
The payment method is Bitcoins. The price is $200 = [current value] Bitcoins
Click on the 'Buy decryption key' button.'

The Cryptre Ransomware demands ransom payments that are higher than previous variants in this ransomware family.

Protecting Your Data from Threats Like the Cryptre Ransomware

The best protection against threats like the Cryptre Ransomware is to have backup copies of your files. Having backup copies of all your data and storing these on the cloud or another safe device ensures that computer users can restore their data after an attack without having to contact the criminals or pay any ransom. Apart from file backups, it is also crucial that computer users use a security program to protect their data from threats like the Cryptre Ransomware. A combination of file backups, security software, and precautions when browsing the Web can ensure that one is completely protected from threats like the Cryptre Ransomware.

SpyHunter Detects & Remove CryptoWire Ransomware