FANDOM


CryptXXX is a Windows ransomware infection that affects all versions of Windows, including Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 10. 

When a victim is infected they will have their files encrypted and then a ransom of about 2.4 bitcoins, or approximately $1,000 USD, will be demanded in order to receive the decryption key.

Payloads

Transmission

A user is typically infected by CryptXXX through Exploit Kits and Trojan Downloaders such as Bedep. These exploit kits can be located on hacked sites or through malvertising.

Infection

When CryptXXX infects the user's computer it will scan all the drive letters for targeted file types, encrypt them, and then append the .crypt extension to them. Once these files are encrypted, they will no longer able to be opened by your normal programs. When CryptXXX has finished encrypting the victim's files, it will change the desktop wallpaper to an image that acts like a ransom note. It will also display a HTML ransom note in the user's default browser.

The extensions targeted by CryptXXX are:

.3DM, .3DS, .3G2, .3GP, .7Z, .ACCDB, .AES, .AI, .AIF, .APK, .APP, .ARC, .ASC, .ASF, 
.ASM, .ASP, .ASPX, ASX, .AVI, .BMP, .BRD, .BZ2, .C, .CER, .CFG, .CFM, .CGI, .CGM, 
.CLASS, .CMD, .CPP, .CRT, Â .CS, .CSR, .CSS, .CSV, .CUE, .DB, .DBF, .DCH, .DCU, 
.DDS, .DIF, .DIP, .DJV, .DJVU, .DOC, .DOCB, .DOCM, .DOCX, .DOT, .DOTM, .DOTX, .DTD, 
.DWG, .DXF, .EML, .EPS, .FDB, .FLA, .FLV, .FRM, .GADGET, .GBK, .GBR, .GED, .GIF, 
.GPG, .GPX, .GZ, .H, .H, .HTM, .HTML, .HWP, .IBD, .IBOOKS, .IFF, .INDD, .JAR, .JAVA, 
.JKS, .JPG, .JS,  .JSP, .KEY, .KML, .KMZ, .LAY, .LAY6, .LDF, .LUA, .M, .M3U, .M4A, 
.M4V, .MAX, .MDB, .MDF, .MFD, .MID, .MKV, .MML, .MOV, .MP3, .MP4, .MPA, .MPG, .MS11, 
.MSI, .MYD, .MYI, .NEF, .NOTE, .OBJ, .ODB, .ODG, .ODP, .ODS, .ODT, .OTG, .OTP, .OTS, 
.OTT, .P12, .PAGES, .PAQ, .PAS, .PCT, .PDB, .PDF, .PEM, .PHP, .PIF, .PL, .PLUGIN, 
.PNG, .POT, .POTM, .POTX, .PPAM, .PPS, .PPSM, .PPSX, .PPT, .PPTM, .PPTX, .PRF, .PRIV,  
.PRIVAT, .PS, PSD, .PSPIMAGE, .PY, .QCOW2, .RA, .RAR, .RAW, .RM, .RSS, .RTF, .SCH, 
.SDF, .SH, .SITX,  .SLDX, .SLK, .SLN, .SQL, .SQLITE, .SQLITE, .SRT, .STC, .STD, .STI, 
.STW, .SVG, .SWF, .SXC, .SXD, .SXI,   .SXM, .SXW, .TAR, .TBK, .TEX, .TGA, .TGZ, .THM, 
.TIF, .TIFF, .TLB, .TMP, .TXT,  .UOP, .UOT, .VB, .VBS,  .VCF, .VCXPRO, .VDI, .VMDK, 
.VMX,  .VOB, .WAV, .WKS,  .WMA, .WMV, .WPD,  .WPS,  .WSF,  .XCODEPROJ, .XHTML, 
.XLC, .XLM, .XLR, .XLS, .XLSB, .XLSM, .XLSX, .XLT,  .XLTM, .XLTX, .XLW,  .XML,  
.YUV,.ZIP,  .ZIPX

When a file is encrypted it will have the .crypt extension appended to the normal file name. For example, a file named accounting.doc, will be renamed to accounting.doc.crypt.

While the computer's data is being encrypted it will create ransom notes in every folder that a file was encrypted, in the C:\ProgramData folder, and on the Windows desktop.

An example of the !Recovery_[victim_id].txt ransom note is:

@@@@@@@ NOT YOUR LANGUAGE? USE https://translate.google.com

@@@@@@@ What happened to your files ?
@@@@@@@ All of your files were protected by a strong encryption with RZA4096
@@@@@@@ More information about the en-Xryption keys using RZA4096 can be found here: 
http://en.wikipedia.org/wiki/RSA_(cryptosystem)

@@@@@@@ How did this happen ?
@@@@@@@ !!! Specially for your PC was generated personal RZA4096 Key , both publik and private.
@@@@@@@ !!! ALL YOUR FILES were en-Xrypted with the publik key, which has been transferred to 
your computer via the Internet.
@@@@@@@ !!! Decrypting of your files is only possible with the help of the privatt key and de-crypt 
program , which is on our Secret Server

@@@@@@@ What do I do ?
@@@@@@@ So , there are two ways you can choose: wait for a miracle and get your price doubled, or 
start obtaining BITCOIN NOW! , and restore your data easy way
@@@@@@@ If You have really valuable data, you better not waste your time, because there is no 
other way to get your files, except make a payment

Your personal ID: xxxxxxxxxxxxxxxx

For more specific instructions, please visit your personal home page, there are a few different 
addresses pointing to your page below:

1 - http://2zqnpdpslpnsqzbw.onion.to
2 - http://2zqnpdpslpnsqzbw.onion.cab
3 - http://2zqnpdpslpnsqzbw.onion.city

If for some reasons the addresses are not available, follow these steps:

1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 - After a successful installation, run the browser
3 - Type in the address bar - http://2zqnpdpslpnsqzbw.onion
4 - Follow the instructions on the site

Be sure to copy your personal ID and the instruction link to your notepad not to lose them.
Community content is available under CC-BY-SA unless otherwise noted.