CryTekk Ransomware
The CryTekk Ransomware is a file encoder Trojan that is built on the HiddenTear Ransomware platform. The CryTekk Ransomware is categorized as a hybrid threat that supports an encryption module and a phishing module that is accessed via the Internet. The CryTekk Ransomware is designed to encode standard data on the compromised systems and lure the users to surrender their credit card data on a phishing site that looks like PayPal.com.
Table of Contents
The CryTekk Ransomware Supports a Standard Encryption Module
The encryption module of the CryTekk Ransomware is designed to apply an AES-256 cipher to photos, audio, video, and text, as well as drop a ransom note called 'README.html' to the desktop. The encrypted data receives the '.locked' extension and something like 'Culver City.png' is renamed to 'Culver City.png.locked.' The CryTekk Ransomware removes the Shadow Volume snapshots, and the System Restore points that may be found on the infected devices. The CryTekk Ransomware may detect the default system Web browser and use it to load 'README.html,' which generates the following text on the screen:
'YOUR FILES HAVE BEEN ENCRYPTED!
Dear victim:
Files have been encrypted! and Your computer has been limited!
To unlock your PC you must pay with one of the payment methods provided, we regularly check your activity of your screen and to see if you have paid. Paypal automatically sends us a notification once you've paid. But if it dosen't unlock your PC upon payment contact us
(CryTekk@protonmail.com)
Reference Number: CT-[random characters]
When you pay via BTC, send us an email following your REF Number if your PC dosen' unencrypt. Once you pay, Your PC will be decrypted.
However if you don't within 14 days we will continue to infect your PC and extract all your data and use it
Google 'how to buy/pay with bitcoin' if you don't know how. To pay by
bitcoin: send $40 to your unique bitcoin address b>
34ieoNtVEUpcWeVbuxUWXoyANEBBv22TUb
PayPal
[Buy Now|BUTTON]'
The CryTekk Ransomware Uses Phishing Tactics to Collect Credit Card Data
As mentioned above, the CryTekk Ransomware includes a phishing component, which is accessed by the users when they click on the 'Buy Now' button. Clicking the aforementioned button prompts the Web browser to load a page at h[tt]p://ppyc-ve0rf.890m[.]com that is almost identical to the profile page you are presented at PayPal.com with a few exceptions. h[tt]p://ppyc-ve0rf.890m[.]com hosts a phishing site that offers the following notification to the visitor:
'Resolve problem
You can not access all your ΡayΡal advantages, due to account limited.
PayPal balance
Your account PayPal has been limited!'
Visitors are directed to fill a form titled 'Confirm your credit card for more security.' At this point, the users compromised by the CryTekk Ransomware may think that the ransom is paid via PayPal and the money transaction can be traced back to the threat authors. Some users may not notice that they are actually at h[tt]p://ppyc-ve0rf.890m[.]com and filling out the form is not a good idea. The phishing page may show dialog boxes inviting the user to enter the credit card holder name, the card number, the expiry date, the CSC/CVV card code and potential 3D verification password. If you follow the instructions on the screen a new message is presented, which reads:
'Your account access is fully restored !
Thanx you for the steps to restore your account access , Your patience and efforts increass, and financial date as seriously as you do, and these ongoing checks of our system contribute to our height level of security. your account will be verfied in the next 24 hours
You are being redirected to your PayPal account , within 10 seconds'
Do not Enter Personal Information on the Screen Displayed by the CryTekk Ransomware
You should not enter personal and financial information at the 'Confirm Your personal information PayPal.' screen generated by the CryTekk Ransomware. Also, contact with the 'crytekk@protonmail.com' and the 'herschelgomez@xyzzyu.com' email accounts that are used by the CryTekk Ransomware team is not advised. PC users are not likely to receive decryption services by the CryTekk Ransomware developers and should use data backups to restore their local disks to normal. You can use an anti-malware utility to terminate the processes and delete the files created by the CryTekk Ransomware on your system.
