Follow:

You have been re-routed to the Ransom:Win32/Crilock.A write up because Trojan%253aWin32%252fCrilock.A has been renamed to Ransom:Win32/Crilock.A
 

Ransom:Win32/Crilock.A


Microsoft security software detects and removes this threat.

It encrypts your files and displays a webpage that asks you to pay a fee to unlock them.

This threat is usually installed on your PC by other malware. You can read more about ransomware on our Ransomware page.

Find out ways that malware can get on your PC.



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Advanced troubleshooting

You might be able to recover encrypted files by using the tool discussed in the MMPC blog post FireEye and Fox_IT tool can help recover Crilock-encrypted files.

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

The threat might be downloaded by other malware.

Crilock.A drops a copy of itself as %APPDATA%\Roaming\{random GUID}.exe, for example %APPDATA%\Roaming\{1400BEBE-1503-1236-2800-383F060F181A}.exe.

It makes the following changes to the registry to ensure that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "CryptoLocker"
With data: "%APPDATA%\Roaming\{random GUID}.exe", for example "%APPDATA%\Roaming\{1400BEBE-1503-1236-2800-383F060F181A}.exe"

Payload

Prevents you from accessing your desktop

As part of its payload, Crilock.A displays a full-screen webpage that covers all other windows, rendering your PC unusable. The warning asks you to pay a fee to receive a randomly-generated key that will "unlock" your files and let you regain access to your PC. The ransomware displays a countdown clock counting down from 72 hours, and gives you the following payment options to pay the "fine":

  • Bitcoin
  • cashU
  • MoneyPak
  • paysafecard
  • Ukash

The key that "unlocks" your PC is unique; you will not be able to use anyone else's key. Note that these online payment systems are not associated with this threat in any way.

The following are some examples of images that Crilock.A displays:

Encrypts files

The ransomware encrypts files on your PC that it finds when searching fixed and remote drives, to prevent you from accessing them. In the wild, the malware has been observed using RSA and AES algorithms for this purpose.

Crilock.A encrypts files it finds in fixed and remote drives with the following extensions:

  • .3fr
  • .accdb
  • .ai
  • .arw
  • .bay
  • .cdr
  • .cer
  • .cr2
  • .crt
  • .crw
  • .dbf
  • .dcr
  • .der
  • .dng
  • .doc
  • .docm
  • .docx
  • .dwg
  • .dxf
  • .dxg
  • .eps
  • .erf
  • .indd
  • .jpe
  • .jpg
  • .kdc
  • .mdb
  • .mdf
  • .mef
  • .mrw
  • .nef
  • .nrw
  • .odb
  • .odc
  • .odm
  • .odp
  • .ods
  • .odt
  • .orf
  • .p12
  • .p7b
  • .p7c
  • .pdd
  • .pef
  • .pem
  • .pfx
  • .ppt
  • .pptm
  • .pptx
  • .psd
  • .pst
  • .ptx
  • .r3d
  • .raf
  • .raw
  • .rtf
  • .rw2
  • .rwl
  • .sr2
  • .srf
  • .srw
  • .wb2
  • .wpd
  • .wps
  • .x3f
  • .xlk
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx

Contacts servers

In the wild, we've observed the ransomware contacting the following servers, possibly to download the key it uses as part of its encrypting process:

  • 184.164.136.134
  • blcusrwmwsce.ru
  • cqatmhkbawod.co.uk
  • duhjqmogmwfc.com
  • eafikccupbrb.biz
  • nhbgpmbhfclx.biz
  • omyfjcovigxw.org
  • pqgunhsbugov.info
  • qvethwgpxkbu.net
  • vajgqwtrpgjn.ru
  • wfhfkmhgskvm.co.uk
  • wpkhlcnfhldx.org
  • xjouorllfkml.com
  • xuigfrbtkppw.info
  • yypvjwfywpgv.net

Analysis by Marianne Mallen


Symptoms

The following could indicate that you have this threat on your PC:

  • Your screen is covered by an image that looks similar to this:


Prevention


Alert level: Severe
First detected by definition: 1.157.1563.0
Latest detected by definition: 1.175.841.0 and higher
First detected on: Sep 10, 2013
This entry was first published on: Sep 10, 2013
This entry was updated on: Aug 14, 2014

This threat is also detected as:
No known aliases