Bitcoin Ransomware Education – Crowti

Even though we have already covered various types of Bitcoin ransomware this past week, there are other variants in existence which are not as well-known to the public. Back in July of 2015, a report by Microsoft had surfaced regarding a new type of ransomware called Crowti. Similarly to other types of malware, Crowti infects computers through email attachments and asks users to pay in Bitcoin.

Also read: Royal Bank of Canada Working with Ripple on Prototype Blockchain Remittance System

Crowti Wants Your Money in Bitcoin

TheMerkle_Ransomware Education Crowti

The biggest Bitcoin ransomware threat still comes in the form of malicious email attachments, especially when those files are labelled as “clean” by security tools. While Microsoft has added Crowti to its list of threats, there are other ways to infect a host computer than by getting a user to download an infected Crowti file directly.

Hackers have become much smarter throughout the years of Bitcoin ransomware, and Crowti can be installed as soon as the computer is infected with a different type of Trojan Horse. Regardless of how Crowti infects a PC, it will immediately mimic critical Windows processes, such as explorer.exe and svchost.exe. In this regard, Crowti resembles CryptoWall in its latest iteration.

As is the case with any form of Bitcoin ransomware, the main goal is to encrypt files on the host computer and ask for ransom. An extensive list of affected file extensions has been listed on the Microsoft website, including image, Word, and Excel files. No files are renamed during the encryption process, though, which makes it resemble an earlier version of CryptoWall.

Once the infection process has completed, users are greeted with a screen telling them their files are locked and how they need to pay a fee to restore access. This payment link will then direct the user to a page hosted on the Tor network, where the Bitcoin funds can be transferred to the designated address. However, the ransom fee is different depending on which Crowti strain is responsible for infected the computer.

What makes this particular piece of Bitcoin ransomware so frightening is how it deleted shadow files, preventing access to encrypted data by recovering them from an earlier backup. This is not something most types of malware have done up until this point, although later versions of CryptoWall – and Crowti – do so.

Source: Microsoft

Images credit 1,2

If you liked this article follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin and altcoin price analysis and the latest cryptocurrency news.