Warning message... Link to action
Supply chain attacks explained Watch video
Aliases: No associated aliases
Windows Defender Antivirus detects and removes this threat.
This ransomware encrypts the files on your PC and shows you a webpage with instructions on how to decrypt them.
This threat might have been downloaded onto your PC by other malware.
The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November 2017, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices.
There is no one-size-fits-all response if you have been victimized by ransomware. There is no guarantee that paying the ransom will give you access to your files.
If you've already paid, see ransomware page for help on what to do now.
Run antivirus or antimalware software
Use the following free Microsoft software to detect and remove this threat:
- Windows Defender for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
You should also run a full scan. A full scan might find hidden malware.
Get more help
If you’re using Windows XP, see our Windows XP end of support page.
The threat creates the following files:
- %APPDATA%\windows\crsrss.exe - copy of the malware
- %ProgramData%\drivers\crsrss.exe - copy of the malware
- %TEMP%\state.tmp - temporary file used for the encryption
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Client Server Runtime Subsystem" or "CSRSS"
With data: "<location of the malware copy>"
It also modifies the following registry entry - possibly as a way of storing configuration data the ransomware uses during encryption:
Sets value: "i"
With data: "<hexadecimal string>", for example "f70cf3801cb6f9da2858"
Encrypts your files
This threat encrypts files on your PC that have the following extensions.
The encrypted files will have their extension changed to one of the following:
In earlier versions, from April 2015 to June 2016, we have seen this ransomware rename the encrypted file in the format <random characters>=.xbtl, for example DWoqBAnMDpI9ij0IjGn1uaRpz-jzei37J5dFIrnROGE=.xtbl.
After it encrypts your files, the threat drops a ransom note in each folder where it encrypted files. The note has the file name in the format README<number>.txt (for example, README8.txt) and looks like the following:
In July 2016 we've seen a newer version that sends victims to a Tor website for the recovery code and ransom payment process. Note, however, that during analysis the website was blocked or not responding, as showing the following screenshot:
It also displays a wallpaper that looks like the following (in some cases the message was garbled or included unidentifiable characters and symbols):
We've also seen the threat connect to the following remote servers on ports 443 and 80 to send information about your PC to a remote attacker:
It also connects to the legitiate website http://whatismyipaddress.com to determine the IP of the infected PC.
Analysis by Marianne Mallen and Patrick Estavillo
The following can indicate that you have this threat on your PC:
- You can't open your files
- You see a message like the following: