CROWN Ransomware

Ever vigilant cybersecurity researchers have spotted a new ransomware threat at the start of July 2019. This new data-encrypting Trojan is named CROWN Ransomware. The CROWN Ransomware does not appear to be a variant of any of the most notorious ransomware threats.

Infecting Your System

It has not yet been confirmed what are the exact infection vectors employed by the perpetrators of the attack. Some malware experts speculate that emails containing macro-laced attachments, bogus software updates, and compromised pirated applications may be some of the techniques used in propagating the CROWN Ransomware. When the CROWN Ransomware gains access to a system, it will begin the attack by initiating a scan on the files present. Then, the targeted files (which will be encrypted later) will be located. The next step is to encrypt the targeted data. When the CROWN Ransomware locks a file, the file will have its name altered. The CROWN Ransomware adds a ‘.CROWN’ extension at the end of the filename. For example, a picture called ‘bathtub-hedgehog.jpeg’ will be renamed to ‘bathtub-hedgehog.jpeg.CROWN.’

The Ransom Note

When the encryption process is completed, the CROWN Ransomware will drop its ransom note called ‘HOW TO DECRYPT FILES.txt’ which reads:

’ All your information (documents, databases, backups and other files) on this computer has beenencrypted using the most cryptographic algorithms. All encrypted files are formatted .CROWN. This form files .CROWN is a joint development American Hackers. You can only recover files using a decryptor and password, which, in turn, only we know. It is impossible to pick it up. Reinstalling the OS will not change anything. No system administrator in the world can solve this problem without knowing the password In no case should you modify the files! But if you want, then make a backup. Drop us an email at the address hghtllfh77137@gmail.com with your PC name You have 48 hours left. If they are not decrypted then after 48 hours they will be removed!!!’

Then, the CROWN Ransomware will change the wallpaper of the user with a ransom note in the shape of an image called ‘ransom.jpg.’ Then, a pop-up window appears. It contains a short ransom message and an empty field where the victim is meant to fill in their ‘password’ after potentially paying the ransom fee and receiving a decryption key. In the note, the attackers mention that the user has only 48 hours to pay up or their files will be erased permanently. This is why the authors of the CROWN Ransomware have also added a timer to the pop-up window. They also provide an email where they demand to be contacted – ‘hghtllfh77137@gmail.com.’

It is never a good call to get in touch with people like the ones behind the CROWN Ransomware. A much safer option would be to download and install a legitimate anti-spyware tool, which will rid you of the CROWN Ransomware and keep you safe in the future.