Croc Ransomware

The Croc Ransomware is a file cryptor Trojan that was discovered on April 22nd, 2019. Malware analysts alert that the Croc Ransomware is created using the Scarab Ransomware Builder that is operated as a RaaS platform (Ransomware-as-a-Service). In other words, the Croc Ransomware is a customized copy of the Scarab Ransomware, which is produced by a team of distributors who are using software maintained by Ransomware developers. The Croc Ransomware may be listed on AV databases under the alias Scarab-Croc Ransomware since it is nearly identical to Scarab. The Croc Ransomware may land on machines via weaponized Microsoft Word files and PDFs. The Ransomware distributors often rely on domain names similar to paypal.com, amazon.co.uk, facebook.com to lure Web users into downloading a potentially dangerous file. The Croc Ransomware is installed on devices through macros scripts, which allows the threat actors to bypass most cyber defenses and avoid alerting the user.

Once, the Croc Ransomware (a.k.a. Scarab-Croc Ransomware) is installed on the computer it creates a randomly named process in the task manager, maps your local disks for targeted file formats and begins the encryption process. Every copy of the Croc Ransomware generates a unique pair of encryption and decryption keys. Thus, recovering data on all devices using the same decryption key is impossible. Also, the decryption key is uploaded to the command servers, and the encryption key is saved on the only for as long as the encryption procedure takes place. The Croc Ransomware is hard to distinguish by other Scarab-variants like the Scarab-X3 Ransomware, the Scarab-DiskDoctor Ransomware, and the Scarab-Bomber Ransomware. The only outstanding difference is that it uses the '.croc' extension to mark encrypted data. For example, 'Havasu Falls.jpg' is renamed to 'Havasu Falls.jpg.croc.' The ransom message is shown via 'HELP_BY_CROC.TXT' that says:

'Hello,
all your files have been encrypted.
>>> Your personal ID:
[random characters]
If you want to recovery your files, send us e-mail with your personal ID and 3 test files (non archived, total size of files must be less than 10Mb).
>>> Contacts:
croc@airmail.cc
cr0c@mail.ee
If your mail server doesn't send e-mail to our contacts, we recommended you to create
an e-mail on Protonmail.com (https://protonmail.com).
>>> ATTENTION!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent
data loss.
* Decryption of your files with the help of third parties may cause increased price
(they add their fee to our) or you can become a victim of a scam.'

The actors responsible for the Croc Ransomware are reported of contacting compromised users via the 'croc@airmail.cc' and the 'cr0c@mail.ee' email accounts. Users may be invited to pay hundreds of dollars to the ransomware team by purchasing Bitcoin. Then, the Bitcoin amount is expected to be transferred to their wallet address in approximately 72 hours (3 days). You should not follow through with the ransom payment and purge the Croc Ransomware from your PC using a trusted computer security instrument. It is safer to boot data backups and use cloud storage services that can help you rebuild your files structure.