FANDOM


CryptoShield is a ransomware that is an updated version of CryptoMix

Payload

Transmission

CryptoShield is distributed using Exploit Kits.

Infection

Following infiltration, this ransomware encrypts various data using RSA-2048 cryptography and appends the ".CRYPTOSHIELD.", ".CRYPTOSHIELD" or ".CRYPTOSHIEL" extension to the name of each file. Following successful encryption, CryptoShield creates two files ("# RESTORING FILES #.HTML" and "# RESTORING FILES #.TXT"), placing them in each folder containing encrypted files.

The HTML and text files contain an identical ransom-demand message stating that files are encrypted using an asymmetric (RSA-2048) encryption algorithm and that decryption is only possible using a private key, which is stored on a remote server controlled by CryptoShield's developers. To receive the key, victims must contact the developers via email. Victims are then provided with ransom payment instructions. The cost of the private key is currently unconfirmed, however, research shows that cyber criminals usually demand the equivalent of $500 - 1500 Bitcoins. It is stated that payment must be submitted within 48 hours, otherwise the cost will double. Victims are also permitted to attach one selected file, which developers will decrypt and return - this supposedly to guarantee that files can be decrypted.

Text presented within CryptoShield text and HTML files:

NOT YOUR LANGUAGE? USE hxxp://translate.google.com
What happened to you files?
All of your files were encrypted by a strong encryption with RSA-2048 using 
CryptoShield 1.0.
More information about the encryption keys using RSA-2048 can be found here: 
hxxps://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
Specially for your PC was generated personal RSA-2048 KEY, both public and private.
ALL your FILES were encrypted with the public key, which has been transferred to 
your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt 
program , which is on our secret server.
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price 
doubled, or start send email now for more specific instructions, 
and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no 
other way to get your files, except make a payment.
To receive your private software:
Contact us by email , send us an email your (personal identification) ID number and 
wait for further instructions.
Our specialist will contact you within 24 hours.
For you to be sure, that we can decrypt your files - you can send us a single 
encrypted file and we will send you back it in a decrypted form. 
This will be your guarantee.
Please do not waste your time! You have 48 hours only! After that The Main Server 
will double your price!
So right now You have a chance to buy your individual private SoftWare with a low 
price!
CONTACTS E-MAILS:
restoring_sup@india.com (res_sup@india.com) - SUPPORT;
restoring_sup@computer4u.com (res_sup@computer4u.com) - SUPPORT RESERVE 
FIRST;
restoring_reserve@india.com (res_reserve@india.com) - SUPPORT RESERVE 
SECOND;
ID (PERSONAL IDENTIFICATION): 4DFB70F41E857D00

Removal

Security researchers from Avast and CERT.PL have released a decrypter for this ransomware. The user can download it HERE. (Note that this tool will not always work but it’s well worth a try if the computer is infected by this ransomware).

Variants

CryptoShield 1.1

CryptoShield 1.1 is a updated variant of CryptoShield.

CryptoShield 2.0 Dangerous

CryptoShield 2.0 Dangerous is a variant discovered on February 15th, 2017. The extensions of the encrypted files are now changed to [original file name].WCT.[RES_SUP@INDIA.COM].ID[victim’s ID].CRYPTOSHIELD.

Community content is available under CC-BY-SA unless otherwise noted.