FANDOM


CryptoGod is a file encoder program based on the infamous HiddenTear open-source ransomware. An important distinction to make is that CryptoGod Ransomware has nothing to do with the CryptoGod Ransomware from June 2017.

CryptoGod is used as a Trojan that encodes the targeted data on computers and offers the affected users to buy a decoder from the people who created the Trojan.

Payload

CryptoGod is programmed to apply an AES-256 cipher to user-generated data like family photos, notes, presentations, downloaded music & video, databases, PDFs and eBooks. The threat is using the reliable AES cipher to make the files unreadable and leave a ransom message on the screens. The encoded files carry the '.locked' extension and something like 'Volborthite Mineral.docx' is renamed to 'Volborthite Mineral.docx.locked.' The ransom alert is produced as a program window titled 'CryptoGod di Patrizio Napoli per esame di stato 2018' that is Italian for 'CryptoGod by Patrizio Napoli for state exam 2018.' Some computer researchers believe that the CryptoGod might be a school project given simplicity of CryptoGod and its lack of a 'Command and Control' server configuration. CryptoGod window offers the following text (rough translation from Italian):

EXAMPLE RANSOMWARE BY PATRIZIO NAPOLI FOR STATE EXAMS 2018
5a B SIA
INSERT THE BITCOIN TRANSFER CODE
INSERT YOUR EMAIL
SEND DATA
----------
YOUR PERSONAL FILES ARE TO BE DELETED. YOUR PHOTOS, VIDEOS, ETC DOCUMENTS ...
BUT DO NOT WORRY! IT WILL HAPPEN ONLY IF YOU DO NOT FOLLOW THE RULES.
I HAVE ALREADY ENCRYPTED YOUR FILES, SO THAT YOU CAN NOT ACCESS YOU. EVERY HOUR I WILL 
SELECT ONE OF THEM AND I WILL CANCEL IT PERMANENTLY AFTER 24 HOURS I WILL CANCEL YOU ALL,
THEREFORE I WILL NOT BE ABLE TO RECOVER THEM.
I AM THE ONLY ABLE TO DECREASE YOUR DATA ..
NOW, KEEP YOUR FILES, YOU CAN NOT DECIDE IT WITHOUT PAYING.
THE AMOUNT TO PAY TO RESTORE THE FILES IS € 300 IN PAYSAFECARD CODES.
YOU CAN INSERT DIRECTLY BELOW YOUR PAYSAFECARD CODES,
THE NAME OF YOUR PC AND YOUR E-MAIL TO SEND THE CODE FOR DECODRYPTION OF FILES.

The same text can be found in 'LEGGIMI.txt' (README.txt) that may be saved to the desktop and any folder with '.locked' files inside. 

Community content is available under CC-BY-SA unless otherwise noted.