CryptoRoger Ransomware

Posted by Lisa Blanc on June 23, 2016

What is CryptoRoger Ransomware?

A new ransomware infection CryptoRoger Ransomware was detected on the 21st of June by security specialists. It does not differ much from other existing ransomware infections much because it also encrypts files once it enters the system with the AES-256 algorithm and then demands a ransom. There is also one unique fact about this infection. It has been found that it does not copy itself to different locations after the user opens the malicious file. Instead, it starts encrypting files from its point of execution (POE). Unfortunately, CryptoRoger Ransomware will encrypt all the personal files it finds stored on the computer; however, it will not touch system files because it does not have an intention of ruining your computer. Even though your files will not be unlocked if you delete the ransomware infection from your PC, you still need to do that as soon as possible because new files, e.g. a Microsoft Word document you create might also be in danger. On top of that, research carried out by the specialists working at anti-spyware-101.com has revealed that this computer infection will connect to the Internet without permission every day unless you delete it fully.testtest

What does CryptoRoger Ransomware do?

CryptoRoger is a file-encrypting ransomware infection, so it encrypts the majority of files stored on the computer and then demands a ransom. Unfortunately, the file is encrypted if you see that it has a new .crptrgr extension. Not all the users immediately understand what has happened to their files, so CryptoRoger Ransomware changes the Desktop wallpaper saying that “files on your PC have been securely encrypted.” Also, it tells users to read the .html (!Where_are_my_files!.html) file for more information. The .html file also informs users that their files have been encrypted and they have to pay 0.5 Bitcoin (approximately $360) for the decryption key. The Bitcoin address that is necessary for making the payment is not shown for users, so people who decide to transfer the money will have to contact cyber criminals that hide behind CryptoRoger Ransomware via uTox, which is known to be a TOR messaging service. Users are also encouraged to send one file for the free decryption if they want to make sure that cyber criminals really have the key for unlocking files. We know that you want your files back; however, you should not forget that there is a tiny possibility that you will not even receive the key after you make a payment. If you decide that it is too risky to transfer money to cyber criminals, you should wait for the free decryption tool to be released. Also, you can easily recover files if you have their copies after the deletion of the ransomware infection, which shows the importance of having the backup of the most valuable files.

In order to act as it should, this ransomware infection creates three files in the %APPDATA% directory:

  • bg.jpeg – the background image it sets
  • files.txt – paths of all the encrypted files together with their MD5
  • keys.dat – the AES-256 key obscured with the RSA encryption algorithm (this file has to be sent to cyber criminals if you decide to pay a ransom)

More experienced users will also notice the new registry key CryptoRoger (HKCU\Software\CryptoRoger). As this threat encrypts files, changes the background image, and creates new files and a new registry key, we are sure that it is impossible not to notice the presence of this threat.

Where does CryptoRoger Ransomware come from?

CryptoRoger Ransomware is distributed like other similar computer infections, i.e. it is spread via spam emails. The malicious file usually pretends to be a simple .doc or .pdf document, so users open the spam email and download the file without fear. This is their major mistake. Please, always ignore emails in the Spam folder if you do not want to cause harm to your computer in the future. It would also be smart to install security software on the computer and keep it enabled all the time.

How to remove CryptoRoger Ransomware

Even though CryptoRoger Ransomware creates three new files and a registry key, it will not be hard to remove it manually, especially if you follow our step by step guide you can find below this article. Even though your personal files will not be unlocked, you should do that as soon as possible in order to be able to use the computer without any fear of losing files again. Do not forget to scan the system with a reputable scanner as well because other threats might be installed and perform activities behind your back every day.

Delete CryptoRoger Ransomware

  1. Locate the malicious .exe file and remove it.
  2. Launch RUN (tap the Windows key + R).
  3. Enter regedit.exe in the box and click OK.
  4. Move to HKCU\Software\CryptoRoger.
  5. Right-click on the registry key and delete it.
  6. Close the Registry Editor and open the Windows Explorer (Win+E).
  7. Enter %APPDATA% in the address bar at the top and tap Enter.
  8. Remove bg.jpeg, files.txt, and keys.dat files.
  9. Remove ransom notes from all the directories.
  10. Empty the Recycle bin and your reboot your computer.
100% FREE spyware scan and
tested removal of CryptoRoger Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *