Home Malware Programs Ransomware Crypto1CoinBlocker Ransomware

Crypto1CoinBlocker Ransomware

Posted: January 19, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 22
First Seen: January 19, 2017
OS(es) Affected: Windows

The Crypto1CoinBlocker Ransomware is a variant of the Xorist Ransomware that bears minimal changes from the previous Trojan, except for new ransoming components and a new method of code obfuscation. As with the Xorist Ransomware, the Crypto1CoinBlocker Ransomware blocks your files and delivers messages meant to force you into paying to unblock them. Affected victims should seek alternatives, if available, and use anti-malware products for uninstalling the Crypto1CoinBlocker Ransomware safely.

A Low-Effort Remix of an Old 'Favorite'

With Ransomware-as-a-Service (or RaaS) and similar business models being dependable parts of the threat black market, it's clear that many con artists have more interest in benefiting from threatening software than they do in coding it. However, with the recently-identified Crypto1CoinBlocker Ransomware, this phenomenon goes to a new extreme. This Trojan is all but identical to the old Xorist Ransomware of the past year, with one, major exception: its authors re-compressed it, using a free trial version of a packer application.

Data compression or packing is one of the most common ways of providing surface protection to Trojans against anti-malware analysis and has little impact on the underlying payload. When the Crypto1CoinBlocker Ransomware installs itself, it continues conducting all of the attacks the Xorist Ransomware was known for employing previously, such as:

  • Encrypting files as a means of blocking them. Note that Xorist Ransomware-based Trojans like the Crypto1CoinBlocker Ransomware can use TEA or XOR-based encryption methods, but other components of this threat (see below) claim falsely that RSA-2048 is in use.
  • Adding seemingly 'random' extension characters to the locked filenames. These aren't random and, in fact, represent the same Bitcoin wallet address that the Crypto1CoinBlocker Ransomware's authors use for collecting their ransom money.
  • Creating a Notepad text, Windows error box and HTML pop-up-based ransom messages, which demand Bitcoin payments for decrypting and unlocking your data. Malware experts can verify the Crypto1CoinBlocker Ransomware's pop-up as being gathered from CryptoLocker, which further confuses any attempts to identify and counter this threat.

Keeping Your Coins on the Way Through a File Blockade

In a law-abiding industry, the Xorist Ransomware's authors would have grounds to sue the threat actors managing the Crypto1CoinBlocker Ransomware, who have borrowed all essential aspects of the old Trojan while re-branding it for their profit. The Crypto1CoinBlocker Ransomware also offers incredibly clear evidence of some of the problems with taking extortionists at their word; both TEA and XOR are far more easily subject to decoding by appropriate freeware and security researchers than RSA-2048. However, malware analysts always recommend investing in backups to cut off these ransoming attempts most directly.

Con artists may be installing the Crypto1CoinBlocker Ransomware by attaching it to e-mail messages with the disguise of fake PDF-based invoices. Anti-malware programs can identify the most corrupted files and remove the Crypto1CoinBlocker Ransomware before you lose any content, and enabling visible extensions can help you detect attempts to confuse the format of a download. While a majority of anti-malware programs do identify the Crypto1CoinBlocker Ransomware heuristically, often as a variant of Filecoder or Ransom.AIG.

Although it takes more effort to protect yourself from a threat like the Crypto1CoinBlocker Ransomware than it does for a con artist to create it, one may count the cost of doing otherwise in often high stacks of Bitcoins.

Loading...