A new Ransomware began to spread on 24th December 2018 as a nice Christmas present to people across the globe. This has been identified as Criakl Ransomware & claimed to be a newer version of Trojan Ransomware Cryakl. The researchers first encountered Cryakl in the spring 2014 & since then it has continued to appear sporadically. However, it has not been an intensely active or widely distributed Ransomware, particularly in UK.
Initially, it used to get distributed through archives attached in the e-mails; however, the e-mails got diversified later & appeared to be messages from certain organizations. Following the encryption of the files on the victim’s computer, the Ransomware creates a long key & sends it to C&C server. Recovering the compromised files without this key is beyond the bound of possibility.
The Ransomware will then alter the desktop wallpaper of the infected system to a picture of Fantamos, the villain from the 1964 French movie & demands a ransom for decrypting files.
Ransom: Win32/Criakl.C is a Ransomware that disguises as a legitimate application; however, upon installation it encrypts a number of files on the infected system & demands a ransom against their decryption.
The security researchers revealed that Criakl Ransomware uses a file named winrar.exe, which takes the innocent users into thinking that they are dealing with a legit app.
Following this accidental installation by innocent users, the Ransomware takes over the PC, encrypts all the files & a ransom note begins to reflect in every folder & on the desktop as well.
A victim informed security researchers that he received two e-mails on 23rd December 2018 at 9:56 PM from email@example.com. Both the e-mails were written in poor English & seemed translated from a foreign language.
One of the e-mails had a zip attachment containing macro-enabled Word Document file whereas the second e-mail contained a win.rar with .exe inside it.
As soon as the Word Doc is accessed it contacts a remote site & downloads an .exe file that is similar to .exe file inside win.rar. The Prise list.zip attachment extracts the files to Prise list.doc. This malicious doc is capable of encrypting almost everything on the computer when unknowingly accessed.
Criakl Ransomware is capable of duplicating itself & drops its copy in the following directory:
It is also capable of dropping the following files:
The Ransomware encrypts the following file types on an infected PCs hard drive:
Once these files are encrypted by Criakl Ransomware, it renames them by adding the following string to file extension:
This extension contains a 36 digit number, date, time (hours, minutes & seconds), followed by a string of 7 random numbers & an e-mail address.
Following the encryption of the files, a ransom note appears on the screen, which demands the user to send an e-mail to the scammer & transfer certain amount; however the ransom amount has not been revealed in the ransom note.
Criakl Ransomware also displays an image of the mask of Fantamos, a villain from 1964 French movie. Since this Ransomware targeted users mostly in Russia, the ransom note is also displayed in Russian language.
Фантомас разбушевался и зашифровал все Ваши важные файлы, да, да, даже офисные!
Но не отчаивайтесь, он готов их Вам вернуть, если Вы напишите на его фантомаса-почту и предложите некоторую сумму денег.
Не забудьте указать фантомас-идентификатор, написанный в конце каждого файла.
Фантомас любит заметать следы, поэтому если Вы не напишите ему в течении 48 часов, он удалит Ваш ключ расшифровки и расшифровка файлов будет невозможна!
Fantomas got angry and encrypted all your files, yes, yes, office files too.
But don’t despair, he’s ready to return them to you, if you send him a fanto-mail and offer a certain amount of money.
Don’t forget to include fanto-id written at the end of the name of every file.
Fantomas likes to sweep the traces, and that’s why if you don’t reply within 48 hours, he will delete your decryption key and decrypting of your files will become impossible!
The cybercriminals use various strategies for malware distribution which include –
Name: Criakl Ransomware
Targeted Operating System: Windows
Symptoms: Most of the files of the users are encrypted. The locked files are appended with .id extension followed by a 36 digit number, date, time (hours, minutes & seconds), followed by a string of 7 random numbers & an e-mail address. A ransom note follows the attempt of accessing compromised file that demands an undisclosed ransom to be paid in 48 hours. The desktop wallpaper is replaced by a ransom note in Russian language & an image of Fantamos, a villain from 1964 French movie.
Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
The researchers at Virus Removal Guidelines are dedicated to track down the latest vulnerabilities which may infringe your system security. Our team of expert performs a detailed research about every malware infection before educating our users about the same.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.