Crypt38 Ransomware

The Crypt38 Ransomware is an encryption ransomware Trojan that was first observed in Spring of 2016. The Crypt38 Ransomware's simple encryption algorithm has made it possible for malware analysts to create a decryption utility to help computer users recover from a Crypt38 Ransomware attack. The Crypt38 Ransomware comprises an entire family of encryption ransomware Trojans that all share a simple encryption routine. Simply reverse engineering the process has permitted PC security analysts to uncover how the Crypt38 Ransomware works and to release a decryption utility. There is currently a free decryption key generator available for threats from the Crypt38 Ransomware family. With the victim's identifying number, the key generator will return the decryption key. Malware researchers recommend that computer users backup their data before using the key generators available in case of a failure in the decryption process.

How the Crypt38 Ransomware and Similar Threats Attack a Computer

The Crypt38 Ransomware adds the extension '.the Crypt38' to all files that it encrypts. Currently, PC security analysts have not determined exactly how the Crypt38 Ransomware is distributed. However, the most probable method is via corrupted email attachments. The Crypt38 Ransomware's encryption routine is quite slow, partly because it enumerates the victim's drives in the following order, and then encrypts them in the same order:

C:\, D:\, E:\, Z:\, Y:\, X:\, W:\, V:\, F:\, G:\, H:\, I:\, J:\, K:\, U:\, T:\, S:\, R:\, Q:\, L:\, M:\, N:\, O:\, P:\, A:\, B:\

The Crypt38 Ransomware encrypts files with the following file extensions:

.txt, .pdf, .html, .rtf, .dwg, .cdw, .max, .psd, .3dm, .3ds, .dxf, .ps, .ai, .svg, .indd, .cpp, .pas, .php, .cs, .py, .java, .class, .fla, .pl, .sh, .jpg, .jpeg, .jps, .bmp, .tiff, .avi, .mov, .mp4, .amr, .aac, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .accdb, .odt, .odp, .odx, .ibooks, .xlp, .db, .dbf, .mdf, .sdf, .mdb, .sql, .rar, .7z, .zip, .vcf, .cer, .csr, .torrent, .otl, .report, .key, .csv, .xml.

To ensure that the victim's computer remains functional, the Crypt38 Ransomware will skip all files that have the following strings in their file paths:

Windows, msocache, Program Files, Program Files (x86)

This strategy is common to most encryption ransomware Trojans. They will enter a computer, scan the victim's hard drives for files matching the extensions above, encrypt them, and then demand the payment of a ransom. This payment is usually collected by dropping ransom notes in the form of text or HTML files in directories where the files were encrypted, as well as by changing the victim's Desktop image.

What is Known About the Crypt38 Ransomware Family

It seems that the Crypt38 Ransomware only targets computer users located in Russia. It is also possible that the Crypt38 Ransomware is currently being tested, which may account for the simplistic encryption method and hat the Crypt38 Ransomware asks for a very low ransom. Because of this, it would not surprise PC security researchers to find a more advanced version of the Crypt38 Ransomware appearing in the future. The Crypt38 Ransomware only demands one thousand Rubles currently, which is approximately $15 USD. The Crypt38 Ransomware also doesn't use a dedicated decryption website or other advanced features. PC security researchers are instructed to email the author, who answers with payment instructions and details on the encryption process.

How the Crypt38 Ransomware Encryption Method Works

When the Crypt38 Ransomware infects a computer, it generates a 12-digit random identifier number for the affected computer. This number is run through a mathematical operation, and '6551' is added at the end of the result. The final number is used as the encryption key. Most ransomware Trojans use asymmetric encryption. In this case, the encryption uses a symmetric algorithm, meaning that the encryption key is also the decryption key. This makes it not too hard for PC security analysts to discover the encryption routine by observing the identifying numbers associated with different victims of this threat.