Crypto1coinblocker Ransomware

Posted by Lisa Blanc on January 26, 2017

What is Crypto1coinblocker Ransomware?

If you are not cautious enough around your e-mails, it is possible that you let a dangerous threat called Crypto1coinblocker Ransomware onto your system. This beast can attack and encrypt your personal files (photos, documents, and program files) in no time. Practically, you cannot even stop this vicious program even if you were to realize that something is wrong; your files will be taken hostage so quickly that you are really doomed. These cyber criminals may be able to corner you with this; unless, of course, you have saved a backup copy onto a portable drive. But even if you have no backup, we do not recommend that you contact these crooks and pay the ransom fee. Supporting cyber criminals is illegal anyway. Our malware experts at anti-spyware-101.com say that it is best for you to remove Crypto1coinblocker Ransomware immediately. Let us tell you in more detail how you may have infected your system so that you can prevent the next malicious attack.testtest

Where does Crypto1coinblocker Ransomware come from?

Our experts have found that this malware infection is not really a new ransomware but rather a renamed version of a former threat called Xorist Ransomware. This malicious program can be spread over the net in spamming campaigns where a malicious file is attached to the mail. This file can look like a document, an image, or a video; however, it is indeed an executable file. Running this file activates this ransomware attack, which clearly means that it is you yourself who actually infects your machine. Although you may think that this is impossible because you would never open such a spam mail, let alone download and run such a malicious file. But let us beg to differ and explain how this is possible indeed.

First of all, this spam may trick your spam filter and pass it without detection. This means that this spam may land in your inbox instead of the spam folder. But since this spam’s main trait is being convincing, it is quite likely that you would open it even if it ended up in your spam folder. The sender of this mail can look totally legitimate to you and sometimes even someone who seems to send the mail from a government office or the police to make sure that you do not ignore it upon receipt. The subject matter of these spam mails can refer to alleged problematic invoices, unpaid fines, issues regarding your bank account or credit card, and so on. Please remember that if you notice this ransomware on your system, it means that you opened a spam and ran the attached file. However, this also means that even if you delete Crypto1coinblocker Ransomware, you cannot save your files anymore. This is exactly why we emphasize the importance of prevention.

Another possible method for cyber criminals to distribute ransomware infections is called Exploit Kits. These malicious kits can be used for creating special webpages with Flash and Java content that would have program code that is triggered when the page loads and then it drops the infection right away silently. This means that loading such a page in your browser would be tantamount to infecting your machine with such a beast. Since this type of attack is based on software vulnerabilities, you need to update all your browsers, Java and Flash drivers regularly from official sources to prevent criminals from dropping infections in this way. Our experts cannot confirm that Crypto1coinblocker Ransomware is spread via Exploit Kits but we still consider this important to share with you.

How does Crypto1coinblocker Ransomware work?

This ransomware first creates a copy of itself in the %TEMP% folder. Our sample was called “VeL8Xum4V8IV735.exe” but yours could be totally different as such infections usually use random names. It seems that this malware threat uses the RSA-2048 encryption algorithm to cipher your files. This infection targets the following file extensions: .zip, .rar, .7z, .tar, .gzip, .jpg, .jpeg, .psd, .cdr, .dwg, .max, .bmp, .gif, .png, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .pdf, .djvu, .htm, .html, .mdb, .cer, .p12, .pfx, .kwm, .pwm, .1cd, .md, .mdf, .dbf, .odt, .vob, .ifo, .lnk, .torrent, .mov, .m2v, .3gp, .mpeg, .mpg, .flv, .avi, .mp4, .wmv, .divx, .mkv, .mp3, .wav, .flac, .ape, .wma, and .ac3. As you can see, your archives, images, documents, videos, and third-party program files could be doomed by this attack. These files get a ".1AcTiv7HDn82LmJHaUfqx9KGG55P9jCMyy" extension.

Apart from creating a clone of itself, this ransomware also creates an image file that could be called "bnbglafjodincgla.bmp” and place it in your %TEMP% folder. This image is the detailed ransom note that you will see as your desktop background after an error pop-up appears on your screen and you click the OK button. The text of this pop-up is also dropped as a .txt file in your Documents folder as well as various other folders. This file is called "HOW TO DECRYPT FILES.txt."

The ransom note instructs you to transfer 1 BTC, which is about 905 dollars, to a Bitcoin address provided in the note. This amount is increased five-fold if you do not pay in the next five days. Once the payment is sent, you have to write an e-mail to “activation2017@mail-on.us” with the proof of transfer. You are told to get the decryption key after the criminals receive your mail. However, we would not really rely on that in your place. As a matter of fact, experience shows that there is little chance for you to get this key. Instead, we suggest that you remove Crypto1coinblocker Ransomware ASAP.

How can I delete Crypto1coinblocker Ransomware?

If you are ready to act, we are here to tell you that you need to delete all related files in order to be able to remove Crypto1coinblocker Ransomware from your computer. You can use our instructions below if you prefer to take matters into your own hands. However, if you are more of an automated solution type, you should find a reliable anti-malware program and install it as soon as possible to safeguard your system from all known malware infections.

Remove Crypto1coinblocker Ransomware from Windows

  1. Tap Win+E to open File Explorer.
  2. Delete the malicious .exe file from the location where you launched it and the %TEMP% folder as well. It could have a random name, such as “VeL8Xum4V8IV735.exe”
  3. Delete all the ransom note files ("HOW TO DECRYPT FILES.txt").
  4. Replace your desktop background and bin the ransom note .bmp from %TEMP% (possible name: "bnbglafjodincgla.bmp").
  5. Empty your Recycle Bin and reboot your system.
100% FREE spyware scan and
tested removal of Crypto1coinblocker Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *