Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    CryptoLocker and other such ransomware threats have been a significant problem for some time now, but recently we’ve seen a new addition to the ransomware scene. This new threat, which calls itself BitCrypt, adds a unique angle to ransomware: it steals funds from various cryptocurrency wallets as well.

    We have identified two distinct variants of this threat. The first variant, TROJ_CRIBIT.A, appends “.bitcrypt” to any encrypted files and uses an English-only ransom note. The second variant, TROJ_CRIBIT.B, appends “.bitcrypt 2″ and uses a multilingual ransom note, with 10 languages included; these are (in the order they appear in the note):

    • English
    • French
    • German
    • Russian
    • Italian
    • Spanish
    • Portuguese
    • Japanese
    • Chinese
    • Arabic

    The English ransom note reads as follows:


    Your BitCrypt ID: {transaction ID}

    All necessary files on your PC ( photos, documents, data bases and other) were encoded with a unique RSA-1024 key.
    Decoding of your files is only possible by a special programm that is unique for each BitCrypt ID.
    Specialists from computer repair services and anti-virus labs won’t be able to help you.
    In order to receive the program decryptor you need to follow this link {malicious site #1} and read the instructions.

    If current link doesn’t work but you need to restore files please follow the directions:
    1. Try to open link {malicious site #2}. If you failed proceed to step 2.

    2. Download and install tor browser {Tor Project website}

    3. After installation, start tor browser and put in the following address {malicious site #3}

    Remember, the faster you act the more chances to recover your files undamaged.

    The text in other languages is fairly similar, although they appear to have been machine translated. In addition to the above, TROJ_CRIBIT.B changes the wallpaper to a solid black background with white text notifying the user of their current problem.

    Figure 1. Wallpaper

    To make analysis more difficult, this ransomware does not leave a copy of itself in the system, making it hard to acquire a copy in order to study the behavior and identify its infection vector.

    Upon further investigation, we found that a variant of the FAREIT information stealing malware, TSPY_FAREIT.BB, that downloads TROJ_CRIBIT.B. This variant also possesses the capability to steal information from various Bitcoin wallets. It searches and attempts to extract information from the following files, which are :

    • wallet.dat (Bitcoin)
    • electrum.dat (Electrum)
    • .wallet (MultiBit)

    Like CryptoLocker, the users are referred to a professional-looking site in order to unlock their files. The website is actually part of the Deep Web as it is only accessible if you use Tor; however the attackers have thoughtfully provided a link to Tor2Web, a service which allows users to visit Deep Web sites without using Tor. They are asked to enter the BitCrypt ID found in the ransom note.

    Figure 2. BitCrypt ID login

    After logging in, the user is directed to BitCrypt’s homepage (which describes itself as Bitcrypt Software Inc.), which provides the user with instructions on how to recover their data. However, this requires the payment of 0.4 BTC. At current values, this translates to approximately US$240. The cybercriminals even include an FAQ page on their website, as seen below:

    Figure 3. BitCrypt frequently asked questions

    Feedback from the Smart Protection Network indicates that 40% of CRIBIT victims are from the United States, with another 11% from Japan.

    BitCrypt is only the latest in the many Bitcoin-related threats we have seen of late. Even though the value of Bitcoin has declined since its peaks late last year, it is still of large enough values that it is now a valuable target for theft – whether that takes the form of Bitcoin-stealing malware like BitCrypt, or larger attacks which target exchanges like Mt. Gox and Vircurex.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • AMC Square Services

      The was an excellent post, thank you for all the info


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice