Home / malware Ransom:Win32/Critroni.A
First posted on 05 August 2014.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Critroni.A.
Explanation :
Threat behavior
Installation
This threat can be downloaded onto your PC Spammer:Win32/Tedroo or by exploit kits.
Once installed it injects code into system processes such as svchost.exe.
It also installs itself in the following locations:
- %TEMP% \
.exe \ .exe
For example,could be nwdfmog.exe.
Ransom:Win32/Critroni.A creates a task in %windir%\tasks with a random name, for example, %windir%\tasks\hdvoxzi.job.
Payload
Encrypts files
This threat can encrypt the files on your PC using a public key and change the extension of the encrypted files to .cbtl.
It looks for and encrypts the following file types:
- 3fr
- 7z
- accdb
- ai
- arw
- ay
- blend
- cdr
- cer
- cr2
- crt
- crw
- db
- dbf
- dcr
- dd
- dds
- der
- dng
- doc
- docm
- docx
- dwg
- dxf
- dxg
- eps
- erf
- groups
- indd
- jpe
- jpeg
- jpg
- kdc
- kwm
- md
- mdb
- mdf
- mef
- mrw
- nef
- nrw
- odb
- odm
- odp
- ods
- odt
- orf
- p12
- p7b
- p7c
- pdd
- pef
- pem
- pfx
- ppt
- pptm
- pptx
- psd
- pst
- ptx
- pwm
- r3d
- raf
- rar
- raw
- rtf
- rw2
- rwl
- safe
- sql
- srf
- srw
- txt
- sd
- wb2
- wpd
- wps
- xlk
- xls
- xlsb
- xlsm
- xlsx
- zip
After it locks your files Ransom:Win32/Critroni.A displays a message similar those shown below with English and Russian translations. The message lists the files that have been encrypted on your PC. It directs you to a Tor webpage asking for payment using BitCoin as currency. It claims that once you have paid you will be able to recover the files using a personal link.
The threat also replaces your desktop wallpaper with instructions similar to what is written in the messages.
Analysis by Marianne Mallen
Symptoms
The following could indicate that you have this threat on your PC:
- You see a message similar to those shown above
Last update 05 August 2014
