CryptoGod Ransomware
Posted: June 12, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 171 |
| First Seen: | June 12, 2017 |
|---|---|
| Last Seen: | May 2, 2022 |
| OS(es) Affected: | Windows |
The CryptoGod Ransomware is a variant of the Hidden Tear file-locking Trojan, which can encrypt media like documents and display various ransom-themed messages to the victims. Users should refrain from paying ransoms to criminals for restoring their files, especially when free decryptors may be available. Dedicated anti-malware programs may identify and delete the CryptoGod Ransomware immediately and are the recommended removal method for this threat.
'God' is Just Testing Trojans for Educational Purposes
Italy is the site of another update to the Hidden Tear program, whose open-source code is responsible for a range of different file-locking and extortionist campaigns around the world. The CryptoGod Ransomware version of the HT family is, supposedly, in development as an 'educational' sample for secondary school exams, but includes the standard features that make these Trojans both infamous and dangerous to unprotected PCs. The CryptoGod Ransomware's Italian author, Patrizio Napoli, is equipping the Trojan with additional pop-up features and may be planning a timer-based file deletion routine, as well.
The most notable function in the CryptoGod Ransomware's payload is the same form of AES encryption that other variants of Hidden Tear also boast, and malware experts have yet to determine whether or not this Trojan's version of the attack is secure or compatible with public decryption software. The CryptoGod Ransomware uses this encryption feature for locking different formats of media automatically, which includes documents and pictures, in particular, and appends '.locked' extensions onto their names. This extension is also observable with similar Trojans, such as the Assembly Ransomware, the UpdateHost Ransomware, the Deos Ransomware, the Unikey Ransomware and others.
Most versions of Hidden Tear ask for payment for giving the victim an unlocking solution and use Notepad files for the purpose. The CryptoGod Ransomware 2018 supplements this feature with another message via a pop-up, which includes the secondary education and identity references of its developer. Patrizio Napoli also claims that the Trojan may delete files on a timer, although malware experts are finding no tangible proof of such a feature, which would is more traditional for the Jigsaw Ransomware's family.
Keeping Your Software Education within Safe Limits
The CryptoGod Ransomware's motivation as a 'for demonstrative purposes only' program may be legitimate, but the same origin story also is true of Hidden Tear, itself, which is a widespread threat to files on non-secure PCs everywhere in the world. Since the CryptoGod Ransomware 2018's encryption routine is working, users can best protect themselves from being locked out of their media by saving copies to a secondary device, such as a removable peripheral or a cloud server. Free decryption applications for Hidden Tear also may have some success with restoring any files that this Trojan locks.
Samples of the CryptoGod Ransomware, for now, lack any disguises that would trick a victim into installing the Trojan unintentionally. Future attacks could circulate this threat over spam e-mails, file-sharing networks, or brute-force attacks against non-secure logins. Rarely, malware experts also find exploit kits that use software vulnerabilities loading through your Web browser also helping with the distribution of file-locking Trojans. Anti-malware products can block most of these attacks and should delete the CryptoGod Ransomware by default.
The peril of a good education is that all knowledge is subject to possible misuse even when the intentions are pure. The existence of the CryptoGod Ransomware, another version of the much-abused Hidden Tear, adds another cause for worry for PC owners without backup solutions.
Technical Details
Registry Modifications
HKEY..\..\..\..{RegistryKeys}SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoGodSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CryptoGod
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.