Home / malware

PDF

Ransom:Win32/Crowti.A

First posted on 18 March 2019.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Crowti.A.

Explanation :

Installation

This threat is an HTML page dropped by Ransom:Win32/Crowti.

Payload

This malware can encrypt the files on your PC using a public key. The files can be decrypted with a private key stored in a remote server.

Crowti uses the following file names for its ransom note, which contains instructions on how to decrypt your files:

DECRYPT_INSTRUCTION.HTML HELP_DECRYPT.HTML HELP_DECRYPT.TXT HELP_DECRYPT.URL HELP_DECRYPT.PNG

The ransom note is launched after the malware is done encrypting files in the system.

We have observed it connect to the following URLs:

XXXeffectpublications.com/wp-includes/theme-compat/ap1.php XXXeliasgreencondo.com/wp-content/cache/ap4.php XXXelitefitnessproduct.com/wp-admin/js/ap3.php

Analysis by: Vladimir Zubko

Last update 18 March 2019

 

TOP