New ransomware encrypts all files


Recommended Posts

Came across a computer today that has an interesting new virus, A new variant of the Critroni,  At first I thought it had simply added the extension .CTB2 to documents & pictures on the computer but unfortunately it also encrypts the files too unless you pay.  No word on how to decrypt the files at the moment (although if anyone knows please tell me).  I have the lovely task to tell my customer now that years of personal files are unrecoverable .... bugger

 

 

Link to comment
Share on other sites

There is some alleged 'remover' download here:

 

http://www.pcrisk.com/removal-guides/8120-your-personal-files-are-encrypted-virus

 

Note: at time of writing, there were no known tools capable of decrypting files encrypted by Critroni without paying the ransom. By following this removal guide, you will be able to remove this ransomware from your computer, however, the affected files will remain encrypted. We will update this article as soon as there is more information available regarding decryption of compromised files.

 

After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Critroni files.

To restore individual files encrypted by this ransomware, try using the Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Critroni are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click on it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

 

I don't know if it is genuine or safe.

 

I would use a lot of caution -- test it somehow before trying it.

Link to comment
Share on other sites

I had this on my works HP machine the other day, pain in the butt.

 

You can try right clicking on the files and use previous versions to get files back but was disabled on my PC.

 

The "good" thing about this, is hopefully kicking people into doing backups of their PC.

 

Thankfully the data on my works machine was pretty much useless so never backed it up

Link to comment
Share on other sites

Ouch sounds like a nasty bit of software.. and at the same time very clever. 

 

These guys must make a decent amount from all this. Maybe they use a different address for each PC as the bitcoin address in article hasn't received anything - 

 

https://blockchain.info/address/8f4eac149b30bf84fa73dc01af72f6d79bcd51f7

Link to comment
Share on other sites

Any idea on where it comes from or how it gets into the computer in the first place?

 

Hopefully not just from some infected ad being displayed or something.

Link to comment
Share on other sites

Hopefully not just from some infected ad being displayed or something.

 

It could very well happen. Sandboxie FTW.

Link to comment
Share on other sites

Any idea on where it comes from or how it gets into the computer in the first place?

 

Hopefully not just from some infected ad being displayed or something.

The links posted above claim that they come from spam e-mail attachments. So as long as you use common sense you should be fine.

Link to comment
Share on other sites

You view websites in Sandboxie?

Totally doable sure -- no matter what browser you're using, it's sandboxed. Hit a naughty site/advertisement that tries to exploit a vulnerability in the browser or a plugin, download a not-so-nice extension, etc etc and it's contained. Also good when you're the type that downloads random stuff without thinking. You'd wind up with a bunch of encrypted files in the sandbox, meanwhile the originals are still safe in the real file system. Flush the sandbox and continue on your way. Set up my daughter's system to do that as she's not supposed to be downloading stuff anyway, also set it on my one neighbor's machine, he's got a habit of installing stuff "because the nice website told him to", haven't had to deal with problems since on his.
Link to comment
Share on other sites

There is some alleged 'remover' download here:

 

http://www.pcrisk.com/removal-guides/8120-your-personal-files-are-encrypted-virus

 

Note: at time of writing, there were no known tools capable of decrypting files encrypted by Critroni without paying the ransom. By following this removal guide, you will be able to remove this ransomware from your computer, however, the affected files will remain encrypted. We will update this article as soon as there is more information available regarding decryption of compromised files.

 

After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Critroni files.

To restore individual files encrypted by this ransomware, try using the Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Critroni are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click on it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

 

I don't know if it is genuine or safe.

 

I would use a lot of caution -- test it somehow before trying it.

 

good idea, reinstalled windows before I even knew it had a virus though so wouldn't work 

sucks for the owner really.  Most spyware/malware i've come across over the years is just annoying but this is something different

Link to comment
Share on other sites

Yes I do, and have been doing it for the last 7 years on all my machines. :D

Not nearly as paranoid as you and probably don't visit some of the sites you must be viewing, but from what I've seen of doing things in a sandbox, I think I'll just stick with common sense, a good host file and adblockers. Besides, if as the one posters says that this comes mainly from e-mail attachments, I don't think I have anything to worry about.

 

I do backups often enough also that I'm not that paranoid. ;)

Link to comment
Share on other sites

  • 2 months later...
  • Nick H. locked this topic
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.