SecurityHome.eu Ransom:Win32/Criakl.C

Home / malware PDF

Ransom:Win32/Criakl.C

First posted on 31 December 2014.
Source: Microsoft
Aliases :
There are no other names known for Ransom:Win32/Criakl.C.
Explanation :
Threat behavior

Installation

We have seen this threat use the file name winrar.exe, likely to make you think it is a legitimate app.

This threat drops a copy of itself in the following directory:

%ProgramFiles% /temp/

It also drops the following files:

d.bat

temp .tmp - this file contains the infection ID number as mentioned in the ransomware message

destop.bmp - the ransomware message that is shown on your desktop

Payload

Encrypts your files

The threat might encrypt the following files types on your PC's hard drives:

.doc

.docx

.jpg

.txt

.xml

.zip

It renames your files by adding the following string to the file extension:

.id-{<36 random numbers>-@@ @@ }-email--ver-

For example, if you have a file called myfile.doc, the threat would rename the file to look like the following (note that "X" would be replaced with a number):

myfile.doc.id-{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-01@01@2000 01@01@01 AM1111111}-email--ver-X.X.X.X

It then shows you the following screen, which demands you send an email to the malware author and transfer an undisclosed amount of money:

The message is written in Russian, and is:

Ð¤ÐÂÐÂ™ÐÂ›Ð« ÐÂ—ÐÂÐ¨ÐÂ˜Ð¤Ð ÐÂžÐÂ’ÐÂÐÂÐ«!

Ð¤Ð°Ð½ÑÂ‚Ð¾Ð¼Ð°ÑÂ ÑÂ€Ð°Ð·Ð±ÑÂƒÑÂˆÐµÐ²Ð°Ð»ÑÂÑÂ Ð¸ Ð·Ð°ÑÂˆÐ¸ÑÂ„ÑÂ€Ð¾Ð²Ð°Ð» Ð²ÑÂÐµ ÐÂ’Ð°ÑÂˆÐ¸ Ð²Ð°Ð¶Ð½ÑÂ‹Ðµ ÑÂ„Ð°Ð¹Ð»ÑÂ‹, Ð´Ð°, Ð´Ð°, Ð´Ð°Ð¶Ðµ Ð¾ÑÂ„Ð¸ÑÂÐ½ÑÂ‹Ðµ!
ÐÂÐ¾ Ð½Ðµ Ð¾ÑÂ‚ÑÂ‡Ð°Ð¸Ð²Ð°Ð¹ÑÂ‚ÐµÑÂÑÂŒ, Ð¾Ð½ Ð³Ð¾ÑÂ‚Ð¾Ð² Ð¸ÑÂ… ÐÂ’Ð°Ð¼ Ð²ÐµÑÂ€Ð½ÑÂƒÑÂ‚ÑÂŒ, ÐµÑÂÐ»Ð¸ ÐÂ’ÑÂ‹ Ð½Ð°Ð¿Ð¸ÑÂˆÐ¸ÑÂ‚Ðµ Ð½Ð° ÐµÐ³Ð¾ ÑÂ„Ð°Ð½ÑÂ‚Ð¾Ð¼Ð°ÑÂÐ°-Ð¿Ð¾ÑÂ‡ÑÂ‚ÑÂƒ Ð¸ Ð¿ÑÂ€ÐµÐ´Ð»Ð¾Ð¶Ð¸ÑÂ‚Ðµ Ð½ÐµÐºÐ¾ÑÂ‚Ð¾ÑÂ€ÑÂƒÑÂŽ ÑÂÑÂƒÐ¼Ð¼ÑÂƒ Ð´ÐµÐ½ÐµÐ³.
ÐÂÐµ Ð·Ð°Ð±ÑÂƒÐ´ÑÂŒÑÂ‚Ðµ ÑÂƒÐºÐ°Ð·Ð°ÑÂ‚ÑÂŒ ÑÂ„Ð°Ð½ÑÂ‚Ð¾Ð¼Ð°ÑÂ-Ð¸Ð´ÐµÐ½ÑÂ‚Ð¸ÑÂ„Ð¸ÐºÐ°ÑÂ‚Ð¾ÑÂ€, Ð½Ð°Ð¿Ð¸ÑÂÐ°Ð½Ð½ÑÂ‹Ð¹ Ð² ÐºÐ¾Ð½ÑÂ†Ðµ ÐºÐ°Ð¶Ð´Ð¾Ð³Ð¾ ÑÂ„Ð°Ð¹Ð»Ð°.
Ð¤Ð°Ð½ÑÂ‚Ð¾Ð¼Ð°ÑÂ Ð»ÑÂŽÐ±Ð¸ÑÂ‚ Ð·Ð°Ð¼ÐµÑÂ‚Ð°ÑÂ‚ÑÂŒ ÑÂÐ»ÐµÐ´ÑÂ‹, Ð¿Ð¾ÑÂÑÂ‚Ð¾Ð¼ÑÂƒ ÐµÑÂÐ»Ð¸ ÐÂ’ÑÂ‹ Ð½Ðµ Ð½Ð°Ð¿Ð¸ÑÂˆÐ¸ÑÂ‚Ðµ ÐµÐ¼ÑÂƒ Ð² ÑÂ‚ÐµÑÂ‡ÐµÐ½Ð¸Ð¸ 48 ÑÂ‡Ð°ÑÂÐ¾Ð², Ð¾Ð½ ÑÂƒÐ´Ð°Ð»Ð¸ÑÂ‚ ÐÂ’Ð°ÑÂˆ ÐºÐ»ÑÂŽÑÂ‡ ÑÂ€Ð°ÑÂÑÂˆÐ¸ÑÂ„ÑÂ€Ð¾Ð²ÐºÐ¸ Ð¸ ÑÂ€Ð°ÑÂÑÂˆÐ¸ÑÂ„ÑÂ€Ð¾Ð²ÐºÐ° ÑÂ„Ð°Ð¹Ð»Ð¾Ð² Ð±ÑÂƒÐ´ÐµÑÂ‚ Ð½ÐµÐ²Ð¾Ð·Ð¼Ð¾Ð¶Ð½Ð°!

When translated into English, the message is:

FILES ENCRYPTED!

Fantomas got angry and encrypted all your files, yes, yes, office files too.
But don't despair, he's ready to return them to you, if you send him a fanto-mail and offer a certain amount of money.
Don't forget to include fanto-id written at the end of the name of every file.
Fantomas likes to sweep the traces, and that's why if you don't reply within 48 hours, he will delete your decryption key and decrypting of your files will become impossible!

Analysis by Carmen Liang

SymptomsThe following can indicate that you have this threat on your PC:

You can't open your files, and they look similar to this:

myfile.doc.id-{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-01@01@2000 01@01@01 AM1111111}-email--ver-X.X.X.X

You see a message similar to this one:

Last update 31 December 2014

TOP

Malware :

Last 20

Family:

Ransom:Win32/Criakl.C