CryptoLite Ransomware

The CryptoLite Ransomware is an encryption ransomware Trojan. These threat types are designed to take the victim's data hostage so that affected user will be willing to pay a ransom in exchange for the restoration of their compromised data. Computer users must take precautions against threats like the CryptoLite Ransomware, which are increasing in frequency rapidly and becoming ever more common.

There's Nothing 'Lite' on the CryptoLite Ransomware

The CryptoLite Ransomware was first observed in July 2018, being distributed to victims through the use of corrupted email attachments. Once the CryptoLite Ransomware has been installed, it scans the victim's computer for various file types and uses a custom AES encryption algorithm to make the victim's files inaccessible. The file types that are often targeted by threats like the CryptoLite Ransomware include:

.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.

You can identify the files encrypted by the CryptoLite Ransomware because the CryptoLite Ransomware will add the file extension '.encrypted' to the end of each damaged file's name.

The CryptoLite Ransomware’s Ransom Demand

The CryptoLite Ransomware will deliver its ransom note in an HTA application, which demands a ransom payment of 0.5 Bitcoin (3200 USD approximately at the current exchange rate) after the victim's files are encrypted. The CryptoLite Ransomware ransom note contains the following message:

'ALL YOUR FILES HAVE BEEN ENCRYPTED!!!
There's no way to decrypt these files without the decryption key.
To retrieve the decryption key, a payment of 0.5 BC will need to be paid.
INSTRUCTIONS:
*Purchase the bitcoins from https://localbitcoins.comi.
*Transfer the bitcoins to a https://blockchain.infoi Wallet.
*From https://blockchain.infoi transfer the bitcoins to the below address.
*Add a message to the transaction with the following format:
{MAC-ADDRESS_EMAIL} <- ENSURE THIS IS CORRECT Example: 00:A0:C9:14:C8:29_pwned@gmail.com Following payment the key will be emailed to you after confirmation. IF YOU MESS UP YOUR MESSAGE FROMAT, YOU WILL NOT RECEIVE THE KEY! BitCoin Address: [random characters] Decryption Key: [text box] [DECRYPT|BUTTON]'

The CryptoLite Ransomware uses a wallet address for payments, which also is associated with a different online fraud case, where the victims are tricked into investing Bitcoins into a hoax.

Dealing with the CryptoLite Ransomware Infection

It seems that the decryption key for the CryptoLite Ransomware is hard-coded into this threat so that PC security researchers were capable of finding a key to help victims restore their files while, in most cases, it is not possible to recover the files encrypted by these attacks. Entering the following code into the CryptoLite Ransomware's text box will result in the data being restored without having to contact the criminals and pay the ransom:

GuBlZEpxPFqDAtjNh7c6mKs4Iy9Mrfw2UYvn3ei5HTgaO1dCbz8QXLJk0RVoW

The CryptoLite Ransomware infection should be removed with an effectual security product. Since it is not possible in most cases to recover the encrypted files, computer users are advised to have file backups stored on the cloud or on an external device to have a recovery option in case of an attack.