Follow:

You have been re-routed to the Ransom:Win32/Crilock.B write up because Trojan:Win32/Crilock.B has been renamed to Ransom:Win32/Crilock.B
 

Ransom:Win32/Crilock.B


Microsoft security software detects and removes this threat.

This threat encrypts your files and displays a webpage that asks you to pay a fee to unlock them.

More information on this type of threat in the Ransom:Win32/Crilock.A description and in our Ransomware page.

Find out ways that malware can get on your PC.  



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Advanced troubleshooting

You might be able to recover encrypted files by using the tool discussed in the MMPC blog post FireEye and Fox_IT tool can help recover Crilock-encrypted files.

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

When it runs, Ransom:Win32/Crilock.B copies itself to %APPDATA%\zkauhxfbmpubhr.exe.

It creates the following files on your PC:

Payload

Contacts servers

Ransom:Win32/Crilock.B might contact these servers using port 80:

  • abnwkkopkiyivyg.net
  • aqjtxashqqtlgoj.co.uk
  • boiyusssrlkvehf.biz
  • cuhspiuhlnvphsy.ru
  • dicuaqyksqhdguk.org
  • eyrobrprduadhni.co.uk
  • fmmqlatukxlqpdl.info
  • kwkmwnafjkpvgrd.com
  • lxutqdnwktrfpjg.biz
  • mookxudggvwxggf.org
  • npyrrkqxhfyhify.info
  • ovenbdjnihhdlb.net
  • xyfvwspgtfmjgsd.net
  • yapdqidxuoosgwo.ru

Commonly, malware might contact to a remote host to do these:

  • Confirm Internet connectivity
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files (including updates or additional malware)
  • Receive instruction from a malicious hacker
  • Upload data taken from your PC

This malware description was produced and published using our automated analysis system's examination of file SHA1 48146b81b85e41b67489f2c20a4e38cb10d1c778.


Symptoms

The following could indicate that you have this threat on your PC:

  • You have this file: %APPDATA%\zkauhxfbmpubhr.exe

Prevention


Alert level: Severe
First detected by definition: 1.159.1765.0
Latest detected by definition: 1.179.160.0 and higher
First detected on: Oct 09, 2013
This entry was first published on: Oct 24, 2013
This entry was updated on: Aug 14, 2014

This threat is also detected as:
  • TROJ_CRILOCK.AK (Trend Micro)
  • Trojan-Ransom.Win32.Blocker.cpqn (Kaspersky)
  • Troj/Ransomcr-B (Sophos)