Threat Database Ransomware Crypt0r Ransomware

Crypt0r Ransomware

By GoldSparrow in Ransomware

The Crypt0r Ransomware is an encryption Trojan that appears to be used in attacks on database servers primarily. The Crypt0r Ransomware Trojan was identified by computer security researchers on January 10th, 2019 and the threat is known to appear in the Windows Task Manager as 'svchost.jpg.' The Crypt0r Ransomware behaves as a typical crypto-threat that uses the AES and RSA ciphers to prevent the users from accessing the content on the local memory drives. The Crypt0r Ransomware is programmed to apply a personalized version of the public AES-256 cipher and reported back to its 'Command and Control' (C2) servers with the decryption key.

The decryption key is included in a report that features the machine ID, IP address and keyboard configuration. The Crypt0r Ransomware is designed to communicate with C2 servers by using TOR Network proxies making it hard for the researchers to find the origin of the ransomware actors. The Crypt0r Ransomware changes the file structures in a way that does not allow for restoring the files without using a particular key and software. The infected machines lose the Shadow Volume snapshots, and the System Restore points once the threat has managed to load properly. The Crypt0r Ransomware Trojan supports a self-destruct feature and the only foreign object left users to find is a document called '_HELP.txt.' The message from the Crypt0r Ransomware is placed on the desktop, and it may be the only text file with an adequate icon since the threat turns similar data in generic white icons. The text from '_HELP.txt' reads:

'All your files and documents are encrypted by Crypt0r.
We provide a decryption service. If you need help, contact customer
service via mail:
All we need is your personal service ID: [random characters]'

The Crypt0r Ransomware may attempt to stop the processes of database managers and interfere with the work of automated backup services. You should note that the Crypt0r Ransomware actors may have used a compromised remote desktop account to inject their Trojan in compromised systems. It is recommended to avoid negotiations with the '' email account and attempt database recovery using the available backup technologies. Threats like the Crypt0r Ransomware can be mitigated and limited in their impact on infrastructures using multi-layered defenses and offsite backup storage. AV companies refer to the Crypt0r Ransomware Trojan with the following detection names:

Gen:Heur.Ransom.Imps.1 (B)
Ransom.Gen!8.DE83 (CLOUD)

Related Posts


Most Viewed