What is CryptWalker ransomware? And how does it carry out its attack?
CryptWalker ransomware is a new addition to the ever growing family of Jigsaw ransomware. This new Jigsaw variant seems to be a very early test build of what could evolve into an all-out ransomware threat. Once it enters that system through a malicious executable file called firefox.exe, it will connect to a remote server and download and install CryptWalker ransomware into the system and begin its attack. It starts to carry out its attack by scanning the infected computer for certain file types, which according to researchers are the following:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as.txt, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .dxf.c, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .zip
Right after it achieves the encryption of the targeted files using the AES encryption algorithm, it will append the .CryptWalker file extension on every encrypted file. Following that, a new window will pop-up on your screen which presents the Jigsaw character with texts type in green letters stating:
“I want to play a game with you. Let me explain the rules:
Your personal files are being deleted. Your photos, videos, documents, etc…
But, don’t worry! It will only happen if you don’t comply.
However I’ve already encrypted your personal files, so you cannot access them.
Every hour I select some of them to delete permanently,
therefore I won’t be able to access them, either.
Are you familiar with the concept of exponential growth? Let me help you out.
It starts out slowly then increases rapidly.
During the first 24 hours you will only lose a few files,
the second day a few hundred, the third day a few thousand, and so on.
If you turn off your computer or try to close me when I start next time
you will get 1000 files deleted as a punishment.
Yes you will want me to start next time since I am the only one that
is capable to decrypt your personal data for you.
Now, let’s start and enjoy our little game together!
1 file will be deleted.
Please, send at least $150 worth of Bitcoin here:
[Address redacted]”
How does this new Jigsaw variant proliferate?
Just like other Jigsaw variants, CryptWalker ransomware spreads through malicious spam emails. Cybercrooks have the tendency to disguise malware-laden emails and pretend that the email is sent out by some well-known group or company to trick users into opening them and download the malicious attachment.
Carefully follow the instructions laid out below to obliterate CryptWalker ransomware and its malicious processes from your computer.
Step 1: Open the Task Manager simply by tapping the Ctrl + Shift + Esc keys on your keyboard.
Step 2: Under the Task Manager, go to the Processes tab and look for any suspicious-looking process which takes up most of your CPU’s resources like firefox.exe and is most likely related to CryptWalker ransomware.
Step 3: After that, close the Task Manager.
Step 4: Tap the Win + E keys to launch File Explorer.
Step 5: Next, navigate to the following locations below and look for the malicious components of CryptWalker ransomware such as firefox.exe, EncryptedFileList.txt, Address.txt, dr, and drpbx.exe as well as other suspicious files and then delete all of them.
- %APPDATA%
- %APPDATA%\System32Work\ Address.txt
- %APPDATA%\System32Work\ dr
- %APPDATA%\System32Work\ EncryptedFileList.txt
- %LOCALAPPDATA%\Drpbx\ drpbx.exe
- %UserProfile%\Local Settings\Application Data\Drpbx\ drpbx.exe
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
- %TEMP%
Step 6: Close File Explorer.
Step 7: Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step 8: Under the list of installed programs, look for CryptWalker ransomware or anything similar and then uninstall it.
Step 9: After that, Close Control Panel.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step9. Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 10: Navigate to the following path:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKCU\SOFTWARE
- HKCU\SOFTWARE\WOW6432Node
Step 11: Delete the registry keys and sub-keys created by CryptWalker ransomware like firefox.exe.
Step 12: Close the Registry Editor and empty your Recycle Bin.
It is important to make sure that nothing is left behind and that CryptWalker ransomware is completely removed use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.