Threat Database Ransomware CCryptor Ransomware

CCryptor Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 10
First Seen: November 5, 2019
Last Seen: March 6, 2020
OS(es) Affected: Windows

Malware researchers struggle to keep up with all the data-locking Trojans, which are being pumped out into the wild by greedy cyber crooks with a lack of morals. Cybersecurity experts put a lot of effort into developing decryption tools that they release publicly to help infected users. However, with the sheer amount of ransomware threats out there, this is truly a Sisyphean task. At the end of October 2019, yet another ransomware was spotted lurking on the Web. It goes by the name CCryptor Ransomware and, so far, does not appear to be associated with any of the known ransomware families.

Propagation and Encryption

It has not been determined what infection vectors are being used in the spreading of this new file-encrypting Trojan. Some believe that the main culprit here is spam email campaigns, as this is one of the most popular methods of propagating threats of this type. Usually, the emails would contain a carefully tailored message and an infected attachment. The user is urged to launch the attachment, often masked as an important document, which would lead to the compromising of their system. The CCryptor Ransomware will scan the data on the PC as soon as it manages to infiltrate it. This helps the threat determine the locations of the files, which are considered to be of interest. Authors of ransomware threats make sure their creations are able to encrypt a wide variety of file types, as this makes it more likely for the victim to consider giving in and paying up. Next, the CCryptor Ransomware applies an encryption algorithm to lock the targeted files. The newly locked files will have an added extension to them – '.ccryptor.' This means that a file named 'September-Sun.jpeg' previously will be renamed to 'September-Sun.jpeg.ccryptor' and will no longer be usable.

The Ransom Note

When the encryption process is completed, the CCryptor Ransomware drops a ransom note named 'README!!!.txt' which states:

’ Your files were encrypted using AES-256 algorithm.
To decrypt them, you need to send the code
To the email address
And we will send you instructions for paying the ransom and decrypting files.
You must pay a ransom of $80.
Every day the ransom amount will increase by $5.
After 4 days all encrypted files will be deleted.’

The attackers claim to have used the popular AES-256 encryption algorithm to lock the victim's files. The ransom fee demanded is $80, but the authors warn that with each passing day, the price will be rising by $5. Furthermore, if the victim fails to pay up within four days of the attack taking place, the attackers claim that their data will be deleted. The creators of the CCryptor Ransomware also have included an email address as a mean of contacting them – ‘'

Stay away from cyber crooks as they are known to make promises, which they rarely keep. Even if you pay, the ransom fee demanded chances are you will not be provided with the decryption key that will decode your data. This is why it is recommended to consider downloading and installing a reputable anti-malware tool and using it to remove the CCryptor Ransomware from your computer.


Most Viewed