Home / malware Ransom:Win32/Critroni.B
First posted on 03 February 2015.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Critroni.B.
Explanation :
Threat behavior
NInstallation
This threat can be downloaded onto your PC Spammer:Win32/Tedroo or by exploit kits.
Once installed it injects code into system processes such as svchost.exe.
It also installs itself in the following locations:
- %TEMP% \
.exe \ .exe
For example,could be nwdfmog.exe.
The malware creates a task in %windir%\tasks with a random name, for example, %windir%\tasks\hdvoxzi.job.
Payload
Encrypts files
This threat can encrypt the files on your PC using a public key and change the extension of the encrypted files to .cbtl.
It looks for and encrypts the following file types:
3fr
7z
abu
accdb
ai
arp
arw
bas
bay
bdcr
bdcu
bdd
bdp
bds
blend
bpdr
bpdu
bsdr
bsdu
c
cdr
cer
config
cpp
cr2
crt
crw
cs dbf
dbx
dcr
dd
dds
der
dng
doc
docm
docx
dwg
dxf
dxg
eps
erf
fdb
gdb
groups
gsd
gsf
ims
indd
iss
jpe
jpeg
jpg
js
kdc kwm
md
mdb
mdf
mef
mrw
nef
nrw
odb
odm
odp
ods
odt
orf
p12
p7b
p7c
pas
pdd
pef
pem
pfx
php
pl
ppt
pptm
pptx
psd
pst
ptx
pwm
py
r3d
raf
rar
raw
rgx
rik
rtf
rw2
rwl
safe
sql
srf
srw
txt
vsd
wb2
wpd
wps
xlk
xls
xlsb
xlsm
xlsx
zip
After it locks your files, earlier versions of this malware display a message similar those shown below with English and Russian translations. The message lists the files that have been encrypted on your PC. It directs you to a Tor webpage asking for payment using BitCoin as currency. It claims that once you have paid you will be able to recover the files using a personal link.
The latest versions of this malware also can display a message written in anumber of languages, including Dutch, Italian, German, Lativan and Spanish:
The threat also replaces your desktop wallpaper with instructions on how to pay using Bitcoin as currency:
Analysis by Marianne Mallen
Symptoms
The following could indicate that you have this threat on your PC:
- You see a message similar to those shown above
Last update 03 February 2015
