One of the latest ransomware discoveries is called CryptoRoger. The research team of MalwareBytes came across this program on June 21. The virus uses AES encryption technology to render files inaccessible. It appends the .crptrgr suffix to the name of each encrypted file. CryptoRoger creates a ransom note in the form of an .html document, titled !Where_are_my_files! The note informs the victim of his fate.
The developers of CryptoRoger demand a ransom of 0.5 bitcoins. This is approximately $360 USD. Upon receiving the sum, they should send you a unique decryption key.
The ransomware uses AES-256 encryption algorithm to lock files. It creates a public encryption key and a private decryption key. The keys are different for every individual computer. CryptoRoger adds the .crptrgr file extension to the name of each infected file. The virus targets documents, archives, compressed folders, images and other multimedia files. You will lose access to all your personal files.
The ransomware retrieves the MD5 hash of all encrypted files and records it together with the filename. The program stores this data in a document, titled files.txt. The file is located in the %AppData% directory.
CryptoRoger asks for a ransom in order to decrypt the user’s files. The demands of the program’s developers are listed in a ransom note. The file, titled !Where_are_my_files!.html, opens automatically when the encryption process ends. The victim does not get instructions on how to pay the sum through the message. He has to contact the creators of the ransomware to receive instructions on the payment process.
The hackers behind CryptoRoger use a messaging tool called uTox to communicate with the victims of the ransomware. The user has to download and install the program. Their uTox contact address is: F12CCE864152DA1421CE717710EC61A8BE2EC74A712051447BAD56D1A473194BE7FF86942D3E
Knowing the address to their uTox account does not enable people to track down the cyber criminals. Similar to bitcoin platforms, the program guarantees the anonymity of ever user.
The developers of CryptoRoger require users to send them a file, called keys.dat. This is most probably the file they have used to conduct the encryption process. By examining the file, researchers found that it contains an encrypted key. It was encrypted using an RSA public key, stored in the ransomware’s executable. By accessing the key.dat file, the owners of CryptoRoger can decrypt the redemption code with the master RSA private key. Upon doing so, they will get the AES decryption key and send it to the victim. At least they promise to do so.
Resolving the issue with CryptoRoger is not possible at this point in time. The virus has just been discovered, so a decryption key is not available yet. Victims are reminded of the program’s presence every time they launch their operating system (OS). CryptoRoger creates a .vbs file in the Windows Startup folder. The ransomware is thus launched every time you boot your system. As a result, it encrypts any new files you have created since the last time you logged in.
