CryptoID Ransomware

The CryptoID Ransomware is an encryption ransomware Trojan that was first observed on February 4, 2019. The CryptoID Ransomware may be known as the 'RickRoll Locker Ransomware Trojan' due to strings found in the CryptoID Ransomware's code and ransom note. The CryptoID Ransomware, like most encryption ransomware Trojans, is designed to make the victim's files inaccessible so that it can ask for a ransom payment from the victim. The CryptoID Ransomware targets the user-generated files, typically encrypting a variety of media files, documents, databases and other data containers.

How the CryptoID Ransomware Trojan Works

The files that the CryptoID Ransomware targets in these attacks include:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The CryptoID Ransomware attack will mark the affected files with the file extension '.cryptoid,' which will be added to the name of each affected file. The CryptoID Ransomware will then deliver a ransom note in the form of text files named 'CRYPTOID_BLOCKED.txt' and 'CRYPTOID_HELP.txt' and 'CRYPTOID_MESSAGE.txt' that will contain variants of the following ransom message:

'#############> RICKROLL LOCKER <############# SORRY! Your files are encrypted. File contents are encrypted with random key. Random key is encrypted with RSA public key (2048 bit). We STRONGLY RECOMMEND you NOT to use any "decryption tools". These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. In order to get private key, write here: rickastley@keemail.me =========== !ATTENTION! Attach file is 000000000.key from %appdata% to email message, without it we will not be able to decrypt your files =========== And pay $400 on BTC-wallet 1Ex6qfkopZ5wgbiCrxpq4cALF56yr8gLhX If someone else offers you files restoring, ask him for test decryption. Only we can successfully decrypt your files; knowing this can protect you from fraud. You will receive instructions of what to do next. #############> RICKROLL LOCKER <#############'

Protecting Your Data from Threats Like the CryptoID Ransomware

PC security researchers strongly advise computer users to avoid paying the CryptoID Ransomware ransom or following any instructions in the CryptoID Ransomware ransom note. Instead, PC users should take steps to protect their computers from threats like the CryptoID Ransomware preemptively. Currently, it does seem like that a free decryption utility for dealing with the CryptoID Ransomware does exist, and it is important to check with PC security researchers to restore the files affected by the CryptoID Ransomware attack. A security program that is kept updated can be used to remove the CryptoID Ransomware and protect your PC from threats like this ransomware Trojan.