CryptoGod Ransomware

The CryptoGod Ransomware is a file encoder program based on the infamous HiddenTear open-source ransomware. An important distinction to make is that CryptoGod Ransomware has nothing to do with the CryptoGod Ransomware from June 2017. The CryptoGod 2018 Ransomware is used as a Trojan that encodes the targeted data on computers and offers the affected users to buy a decoder from the people who created the Trojan. The CryptoGod Ransomware does not introduce anything new to the crypto-threat scene, but it may evade some AV scanners. The program at hand is almost identical to the KwaakLocked Ransomware and the CyberSCCP Crypto Ransomware that we have reported in the past. However, the CryptoGod 2018 Ransomware is using a unique ransom message and marks the encoded files with the '.locked' extension.

The CryptoGod Ransomware is programmed to apply an AES-256 cipher to user-generated data like family photos, notes, presentations, downloaded music & video, databases, PDFs and eBooks. The threat is using the reliable AES cipher to make the files unreadable and leave a ransom message on the screens. The encoded files carry the '.locked' extension and something like 'Volborthite Mineral.docx' is renamed to 'Volborthite Mineral.docx.locked.' The ransom alert is produced as a program window titled 'CryptoGod di Patrizio Napoli per esame di stato 2018' that is Italian for 'CryptoGod by Patrizio Napoli for state exam 2018.' Some computer researchers believe that the CryptoGod 2018 Ransomware might be a school project given the simplicity of the CryptoGod 2018 Ransomware and its lack of a 'Command and Control' server configuration. The CryptoGod 2018 window offers the following text (rough translation from Italian):

'EXAMPLE RANSOMWARE BY PATRIZIO NAPOLI FOR STATE EXAMS 2018
5a B SIA
INSERT THE BITCOIN TRANSFER CODE
INSERT YOUR EMAIL
SEND DATA
----------
YOUR PERSONAL FILES ARE TO BE DELETED. YOUR PHOTOS, VIDEOS, ETC DOCUMENTS ...
BUT DO NOT WORRY! IT WILL HAPPEN ONLY IF YOU DO NOT FOLLOW THE RULES.
I HAVE ALREADY ENCRYPTED YOUR FILES, SO THAT YOU CAN NOT ACCESS YOU. EVERY HOUR I WILL SELECT ONE OF THEM AND I WILL CANCEL IT PERMANENTLY AFTER 24 HOURS I WILL CANCEL YOU ALL,
THEREFORE I WILL NOT BE ABLE TO RECOVER THEM.
I AM THE ONLY ABLE TO DECREASE YOUR DATA ..
NOW, KEEP YOUR FILES, YOU CAN NOT DECIDE IT WITHOUT PAYING.
THE AMOUNT TO PAY TO RESTORE THE FILES IS € 300 IN PAYSAFECARD CODES.
YOU CAN INSERT DIRECTLY BELOW YOUR PAYSAFECARD CODES,
THE NAME OF YOUR PC AND YOUR E-MAIL TO SEND THE CODE FOR DECODRYPTION OF FILES.'

The same text can be found in 'LEGGIMI.txt' (README.txt) that may be saved to the desktop and any folder with '.locked' files inside. Computer security researchers advise against interaction with the CryptoGod 2018 Ransomware developers. You may be unable to recover your files without the decryption key, but you can boot backups and the System Recovery Disks that hold older versions of your files. PC users should entrust the removal of the CryptoGod Ransomware to a credible anti-malware suite and install a good backup manager to counter similar threats. The CryptoGod 2018 Ransomware may run on compromised systems as 'CryptoGod.exe' and AV scanners may flag it as:

Gen:Heur.Ransom.HiddenTears.1
HEUR/AGEN.1016243
MSIL.Trojan-Ransom.Cryptear.R
Malware/Win32.Generic.C1020407
Ransomware-FTD!2C6482E7A221
Trojan ( 004ddd301 )
Trojan.Ransom.HiddenTears.1
Trojan.Win32.Z.Ransom.367104
W32/Ransom.MEFJ-8179

SpyHunter Detects & Remove CryptoGod Ransomware