Home Malware Programs Ransomware Craftul Ransomware

Craftul Ransomware

Posted: June 26, 2019

The Craftul Ransomware is a file-locking Trojan that can block your computer's media, such as pictures or text documents, through encryption. Users can identify infections by the 'craftul' extensions on their non-opening files and the presence of a Notepad ransom note specifically. Updating your secure backups will avoid any extortionist leverage through its attacks, and anti-malware products should shut down and delete the Craftul Ransomware at any point.

A Mystery Afoot with Crafty Trojans

The PC security industry is on the tail of a new, file-locker Trojan whose symptoms are generic sufficiently that its victims could mistake it for a member of nearly any family – including Hidden Tear, the semi-Russian Scarab Ransomware, or the Asia-focused STOP Ransomware. This threat, however, has the closest resemblance to the old Revolution Ransomware, thanks to sharing some of its text. The new Trojan, the Craftul Ransomware, provides no other clues of its birthright and could be a 'lone wolf.'

Malware researchers haven't been confirming any infections in the wild, and there's a chance that the Craftul Ransomware is still-developing and testing itself against the AV industry's threat-detecting rulesets. It does, however, include file-locking behavior, most likely, AES-encryption-based, which prevents digital media from opening and adds 'craftul' extensions onto them as extra extensions. The word may be Romanian in origin, although its campaign's being Romania-only in distribution isn't very unlikely.

Malware analysts are verifying the Craftul Ransomware infections, including the depositing of Notepad TXT files that match up with those of the Revolution Ransomware, except for new e-mail addresses. The warning tells victims that they should negotiate for the decryptor, be willing to pay a ransom, and have seventy-two hours before the price doubles automatically. The latter may or may not be a bluff; most file-locker Trojans' campaigns don't include any automatic deadline functions.

Crafting a Way Out of Contrived Extortion

Users should hope that the Craftul Ransomware isn't an update of the Revolution Ransomware; since the Revolution Ransomware has no public decryption services, any files that use the same locking method will be irretrievable without the threat actor's aid. However, paying the ransom is also fraught with risk due to criminals not always honoring the obligations of these agreements. Furthermore, the Craftul Ransomware infections may delete backup information that would let Windows or the Shadow Volume Copy-based repair tools get your files back.

The universal solutions to file-locking Trojans always involve securing and updating your backups, which users should keep on other devices for the sake of safety. Text documents, pictures, databases, and archives are examples of some of the formats that the Craftul Ransomware is most likely of having in its white list for blocking, but malware experts see similar threats damaging other types of data and even program executables. Removing the extension that the Craftul Ransomware appends isn't a solution and does nothing other than keeping users from identifying the damaged file conveniently.

As a silver lining, nearly all anti-malware products will delete file-locking Trojans on sight. Users can remove the Craftul Ransomware while scanning their computers and enact any recovery options after the disinfection.

Although malware experts see that there's more worth learning about the Craftul Ransomware's campaign and payload, it may be best that nothing else surfaces. A quiet Trojan that does nothing to the public at large is better than one that's well-known and active.

Loading...