This page is made to help users infected by Cryptorbit ransomware. Use the guide below to decrypt Cryptorbit files and to restore the original ones
This infection is classified as trojan-ransomware, first detected in September, 2013. It infiltrates, encrypts files, and demands a ransom for the key. Though if is it’s found in a system, don’t panic – unlike with many more efficient ransomware programs, files can be recovered without payment, though as the malware can still present other system risks, users should delete CryptorBit at the earliest opportunity.
There are several routes that could permit this infection to be dropped into a system: attachments or in-text links appended to spam ‘mail; downloading an infected bundle of freeware; visiting or being redirected to a compromised or dodgy ‘site and becoming the target of an exploitation kit attack; by clicking on fake freeware pop-ups offering updates or (rogue) anti-malware; using unverified torrent sharing; as a result of a traditional network hack; or contracted by using contaminated external devices such as flash drives, D.V.D or C.D &c.
These infection paths can be guarded – with some thought, it is fairly simple to stop CryptorBit or even worse malware from entering. In this case, the main delivery method seems to be via counterfeit e-mails claiming to have some beneficial or financial importance for the user, and a link/attachment to click for further information. These can often be very well disguised as being from commercial or government offices and this type of social engineering – combined with a little user curiosity and avarice – often does the job surprisingly well. Avoidance only requires a little vigilance.
Once in, CryptorBit will hide itself (usually setting up first in the system folder %AppData%), and start to modify Windows files and drivers. At the same time, it will contact the hacker’s server. The command and control server (on the Tor network) is where the key to the encryption will be stored and also provides communication between the victim and ransomer. Unlike other more sophisticated extortionware, this one only encrypts the first 512 bytes of a file and then places this at the end. This ploy makes the file corrupted and impossible for the associated program to open. Incorporated in the infection’s flaws is the inability to efficiently delete backed-up data from the system (as most ransomware is designed to do). If there is a problem with file retrieval using System Restore, there is a Thirtyseven4 CryptorBit Decryption Tool that will decrypt JPG, PST, MP3, PDF, .DOC, .XLS, .XLSX, .PPTX, .and DOCX files (see the steps below).
When first discovered, tests/trials showed that a key was not provided on payment, leading this to be described as fake or scam ransomware. More recently, it has been confirmed that keys have been supplied on payment, so even if files are recoverable due to the program’s flaws, it is still fully functioning as ransomware. As the user does not need to pay this ransom, then disabling internet access will disrupt encryption and can make file recovery more simple after eradicating CryptorBit. This is important because the presence of one infection can provide a back-door to further malware and if allowed, can also relay sensitive information back to the hacker via Tor. Also included in the ransomware package is an app called a Cryptocoin Miner which if left will drain the CPU and will remain a future security and privacy risk (see link below for a detailed description).
Detecting and dealing with CryptorBit
As with all malware they contain elements to help evade detection, and this works with varying success depending on the infection and the quality of security software. There are signs to be aware of that indicate the ransomware’s presence: slower system operation (due to the encryption running in the background and using CPU power); possible program crash or screen-freezes; unrequested internet access being connected; increase in spam and pop-ups. If any similar behavior is noticed, close all internet and network connections (including wireless) until needed and check user files for any changes. If there is no external file back-up available, make one immediately and store on a clean external device (checking that all extensions are normal first – if in doubt, try to open the file). Make a separate folder to move any corrupted files to. Next, completely uninstall CryptorBit either manually or with anti-malware (see instructions below).
Then attempt a System Restore which resets the system to an earlier point predating the infection (this may have to be repeated using an earlier date the second time, if the user is unsure about when the ransomware entered). Most targeted users have found that this restores damaged files. Any files still corrupted can be either rectified using Scott’s software if the files have the above extensions, can be searched for in Windows Previous Versions, or by using Microsoft Shadow Explorer (included in some service packs or available to download at windows.microsoft.com).
How to decrypt CryptorBit
To successfully decrypt CryptorBit encrypted files, please follow the steps below:
Step 1: Download the CryptorBit decrypter from here: http://www.thirtyseven4.com/downloads/RestoreCryptor.zip .
Step 2: Unpack the .zip archive to C:\CryptorBit .
Step 3: Open a Command prompt as Administrator (read how to do this here).
Step 4: In the Command prompt type “cd \CryptorBit“.
Step 5. Copy all your encrypted files to C:\CryptorBit.
Step 6: In the Command prompt type “Restorecryptor.exe C:\CryptorBit C:\DecryptedFiles“. Wait until the tools is done.
Step 7: You should find all your files decrypted in C:\DecryptedFiles folder.
How to prevent CryptorBit
This and other ransomware are preventable, though making an external or Cloud back-up regularly for files is good insurance. As is a security program capable of detecting and dealing with threats to cover manual mistakes. Remember the entry routes and methods of ransomware and practice safe browsing and installing. Keeping the operating system up to date with any security patches, and likewise the browsers, with settings up high to warn of and prevent threats. Install a good Firewall and set it to deny communication with Tor and I2P networks and to restrict port use without permission (if most malware cannot communicate, then it cannot function). Research how to use Windows Administrator Privilege settings to block .exe files executing on the system registry and certain paths that these threats commonly use – system folders %AppData%, %LocalAppData%, %Temp% and %ProgramData% – this will disable most ransomware should it slip past security. To help avoid falling foul of concealed attachments, disable the ActiveX option for Microsoft Office apps.
Avoid CryptorBit – this ransomware is only a bit of a problem; if your system or your system of working allows this malware to enter, then you are also vulnerable to infection from much more professional and problematic extortionware!