Follow:

 

Ransom:Win32/Crowti


Microsoft security software detects and removes this threat.

This ransomware encrypts the files on your PC and directs you to a webpage with instructions on how to unlock them. It asks you to make a payment using bitcoins.

The ransom or "lock" screen can use the name CryptoDefense or CryptoWall.

This threat can be downloaded by other malware, such as TrojanDownloader:Win32/Onkods or TrojanDownloader:Win32/Upatre. It can also be downloaded when you click on a link in a spam email.

More information about ransomware can be found on our Ransomware page.

Find out ways that malware can get on your PC.  



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat can be downloaded by other malware, such as TrojanDownloader:Win32/Onkods or TrojanDownloader:Win32/Upatre. It can also be downloaded when you click on a link in a spam email with a file name similar to Fax-<randomnumber>.zip or incoming_wire_report.zip.

Win32/Crowti installs a randomly named copy of itself in any of these paths:

  • c:\<random name>\<random name>.exe
  • %APPDATA% \<random name>.exe
  • <start menu> \programs\startup\<random name>.exe

It modifies one of the following registry entries so that it runs each time you start your PC:

In subkey: HKU\Registry\User\<SID>\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random name>" 
With data: "c:\<random name>\<random name>.exe"

In subkey: HKU\Registry\User\<SID>\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random name>" 
With data: "c:\<random name>\<random name>.exe"

In subkey: HKU\Registry\User\<SID>\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "*<random name>" 
With data: "c:\<random name>\<random name>.exe"

Examples of <random name> could be:

  • 3d0bbc8
  • 7716b6d
Payload

This malware can encrypt the files on your PC using a public key. The files can be decrypted with a private key stored in a remote server.

It then displays a lock screen similar those shown below to tell you that you can recover the files using a personal link that directs you to a Tor webpage asking for payment using BitCoin as currency.

Crowti also deletes shadow files to stop you from restoring your files from a local backup.

Analysis by Marianne Mallen


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    c:\<random name>\<random name>.exe
    APPDATA%\<random name>.exe
    <start menu>\programs\startup\<random name>.exe
  • You see these entries or keys in your registry:

In subkey: HKU\Registry\User\<SID>\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random name>" 
With data: "c:\<random name>\<random name>.exe"

In subkey: HKU\Registry\User\<SID>\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random name>" 
With data: "c:\<random name>\<random name>.exe"

In subkey: HKU\Registry\User\<SID>\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "<random name>" 
With data: "c:\<random name>\<random name>.exe"

  • You see one of these lock screens:
     








 


Prevention


Alert level: Severe
First detected by definition: 1.175.797.0
Latest detected by definition: 1.185.1368.0 and higher
First detected on: May 29, 2014
This entry was first published on: Jun 09, 2014
This entry was updated on: Sep 05, 2014

This threat is also detected as:
  • Dropper/Win32.Necurs (AhnLab)
  • Trojan-Ransom.Win32.Cryptodef.iu (Kaspersky)
  • Trojan horse Inject2.AHNI (AVG)
  • TR/Crypt.Xpack.64673 (Avira)
  • Trojan.Encoder.514 (Dr.Web)
  • W32/Cryptodef.AHIO!tr (Fortinet)
  • PWSZbot-FBKQ!86B6EE398F44 (McAfee)
  • Troj/Agent-AHIO (Sophos)
  • TSPY_ZBOT.SMCC (Trend Micro)