Ransomware stops you from using your PC. It holds your PC or files for ransom.
Some versions of ransomware are called "FBI Moneypak" or the "FBI virus" because they use the FBI's logos.
They will demand that you do something to get access to your PC or files. We have seen them:
Often the ransomware will claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.
These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.
There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.
Crowti (also known as Cryptowall) and Tescrypt (also known as Teslacrypt) are two ransomware families that have infected over half a million PCs running Microsoft security software in the first half of 2015. Since the start of 2015, we've observed Crowti to be the most prevalent ransomware overall, accounting for 30% of all ransomware families, as shown in Figure 1.
Figure 1. Top 10 Ransomware (January to June 2015)
Notice in particular that Tescrypt sits within the six families that each had less than a 5% share of the total. This is because Tescrypt is relatively new – while we’ve seen big detection numbers between April and June, it still hasn’t been enough to wipe out Crowti and Krypterade.
Figure 2. Top 10 Ransomware (May 2015)
While Tescrypt has only been prevalent since April 2015, we've seen its infection rate spike dramatically during that time. Between April and May, it increased by over 600%. This increase in activity is likely due to it being distributed by a number of active exploit kits, specifically Exploit:SWF/Axpergle (Angler),Exploit:JS/Neclu (Nuclear),JS/Fiexp (Fiesta), and JS/Anogre (Sweet Orange). Figure 2 shows the share it had during May.
Figure 3. Top 10 Ransomware (June 2015)
A breakdown of the top 10 ransomware distribution for the past 30 days (May 19 to June 18, 2015) is represented in Figure 3.
Both Crowti and Tescrypt target home users and enterprise industries. Their infection chains are also similar, and we’ve seen that email spam and exploit kits are the main infection vectors.
Figure 4. Tescrypt/Crowti infection chain
Figure 4 is a representation of the infection chain for both families.
These ransomware families encrypt files on the PC and direct the machine’s user to a webpage that typically asks for ransom payment using bitcoins.
See the following descriptions for a list of the file type extensions each family targets for encryption:
Crowti can be downloaded by other malware, such as:
It can also be downloaded when you click on a link in a spam email. It’s important to be aware of the dangers in opening suspicious emails to avoid falling prey to these ransomware attacks.
See the Win32/Crowti and Win32/Tescrypt descriptions for information on how these threats work.