Follow:

 

Ransom:Win32/Crowti


Microsoft security software detects and removes this threat.

This ransomware encrypts the files on your PC and directs you to a webpage with instructions on how to unlock them. It asks you to make a payment using bitcoins.

The ransom or "lock" screen can use the name CryptoDefense or CryptoWall.

This threat can be downloaded by other malware, such as TrojanDownloader:Win32/Onkods or TrojanDownloader:Win32/Upatre. It can also be downloaded when you click on a link in a spam email.

More information about ransomware can be found on our Ransomware page.

Find out ways that malware can get on your PC.  



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Enable MAPS 

Enable the Microsoft Active Protection Service (MAPS) on your system to protect your enterprise software security infrastructure in the cloud.

  1. Check if MAPS is enabled in your Microsoft security product:

    1. Select Settings and then select MAPS.

    2. Select Advanced membership, then click Save changes. With the MAPS option enabled, your Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

  2. Join the Microsoft Active Protection Service Community.  
Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

See the Win32/Crowti family description for technical details.


Prevention


Alert level: Severe
First detected by definition: 1.175.797.0
Latest detected by definition: 1.205.1019.0 and higher
First detected on: May 29, 2014
This entry was first published on: Jun 09, 2014
This entry was updated on: Apr 15, 2015

This threat is also detected as:
  • Dropper/Win32.Necurs (AhnLab)
  • Trojan-Ransom.Win32.Cryptodef.iu (Kaspersky)
  • Trojan horse Inject2.AHNI (AVG)
  • TR/Crypt.Xpack.64673 (Avira)
  • Trojan.Encoder.514 (Dr.Web)
  • W32/Cryptodef.AHIO!tr (Fortinet)
  • PWSZbot-FBKQ!86B6EE398F44 (McAfee)
  • Troj/Agent-AHIO (Sophos)
  • TSPY_ZBOT.SMCC (Trend Micro)
  • Cryptowall (other)
  • Cryptodefense (other)