Cryptedx Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 4 |
| First Seen: | January 11, 2018 |
| Last Seen: | January 9, 2019 |
| OS(es) Affected: | Windows |
The Cryptedx Ransomware is a file encoder Trojan that was announced on cybersecurity blogs on January 9th, 2017. The initial threat analysis suggests that the Cryptedx Ransomware is a modified version of the Xorist Ransomware. The Xorist family of file encoders is known to include half a dozen strands that include the Crypto1CoinBlocker Ransomware, the Blocked2 Ransomware, the Zixer2 Ransomware and the XRat Ransomware. Computer security analysts note that the Cryptedx Ransomware functions as a generic crypto-threat. The payload is delivered via macro-enabled Microsoft Word files that are disseminated using spam emails. However, cracked copies of shareware may be used to deliver the Cryptedx Ransomware Trojan to users directly as well.
The attack does not take long to manifest as the Cryptedx code is small in size and it is executed with administrative privileges. That way, the Cryptedx Ransomware manages to scan local memory drives and delete the System Restore points relatively fast. The threat is observed to report successful infiltration to remote servers and include the user's keyboard layout, IP address, computer name, active username and installed software. Additionally, the Cryptedx Ransomware Trojan generates a pair of decryption and encryption keys before it proceeds to encode the targeted data. The Cryptedx Ransomware Trojan is designed to encipher photos, music, videos, office documents, eBooks, PDFs and databases. The Cryptedx Trojan is recorded to add '.cryptedx' to the file names and something like 'Meyendorff Castle.jpeg' is renamed to 'Meyendorff Castle.jpeg.cryptedx.' We have seen Cryptedx delete the Shadow Volume snapshots as well, and disable the native recovery features in Windows 10, Windows 8, Windows 7 and Windows Vista. Affected PC users are shown a file called 'HOW TO DECRYPT FILES.txt,' which is loaded in the Microsoft's Notepad desktop app and offers the following information:
'Attention! All your files are encrypted!
To restore your files and access them,
please send a mail to www@lass.33mail.com
You have 5 attempts to enter the code.
When that number has been exceeded,
all the data irreversibly is destroyed.
Be careful when you enter the code!
WTF !'
The threat creators may offer help with decoding the affected data if you send an email to 'www@lass.333mail.com' and transfer a 100 USD worth of Bitcoin (≈0.006570 BTC) to their digital wallet — 13dYEREjhp5Hde3n5CsV15TFj5PB4nm1md. You may notice that the desktop background image is changed to a black screen that features the name 'CRYPTEDX RANSOMWARE' and the message shown above. We advise against interaction with the threat operators because they may ask questions about the native of the affected data and more money. There is no way to know if they will cooperate and sell you the decryptor you need. A safer and smarter alternative is to use backup images for the recovery process, but you will need to remove the threat with the help of a reputable anti-malware solution.
