We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names

Published May 28, 2014 | Updated Sep 15, 2017

Learn about other threats

Win32/Crilock

Detected by Microsoft Defender Antivirus

Aliases: Trojan/Win32.Cryptolocker (AhnLab) W32/Ransom.XWLZ-0443 (Command) TR/Crypt.ZPACK.13648 (Avira) Trojan.GenericKDV.1279124 (BitDefender) Trojan.DownLoader10.17256 (Dr.Web) W32/Zbot.GFC!tr (Fortinet) Mal/Ransom-BZ (Sophos) TROJ_FRS.BMA000IP13 (Trend Micro)

Summary

Microsoft security software detects and removes this family of threats.

This ransomware family encrypts your files and shows you a webpage that asks you to pay a fee to unlock them.

They can be installed on your PC by other malware, such as TrojanDownloader:Win32/Upatre and PWS:Win32/Zbot.gen!GO. It can also spread through infected removable drives, such as USB flash drives.

You can read more about this type of threat on our Ransomware page.

There is no one-size-fits-all response if you have been victimized by ransomware. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

Microsoft Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
Microsoft Safety Scanner

You should also run a full scan. A full scan might find other, hidden malware.

Advanced troubleshooting

You might be able to recover encrypted files by using the tool discussed in the MMPC blog post FireEye and Fox_IT tool can help recover Crilock-encrypted files.

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

This threat is usually installed on your PC by other malware, such as TrojanDownloader:Win32/Upatre and PWS:Win32/Zbot.gen!GO. It can also spread through infected removable or USB flash drives by using the Ransom:MSIL/Crilock.A worm variant.

Installation

Variants of Crilock can drop copies of itself into one of the following folders on your PC:

We have seen variants use the following names:

<system folder>\msunet.exe
%APPDATA%\Roaming\{Random GUID}.exe, for example %APPDATA%\Roaming\{1400BEBE-1503-1236-2800-383F060F181A}.exe
%APPDATA%\zkauhxfbmpubhr.exe

Variants set themselves to run each time you start your PC by changing the registry. We have seen them use the following changes:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
In subkey: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe,,<system folder>\msunet.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "MSUpdate"
With data: "<system folder>\msunet.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "*MSUpdate"
With data: "<system folder>\msunet.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "CryptoLocker"
With data: "%APPDATA%\Roaming\{random GUID}.exe"

They can also change to registry to allow themselves to spread via removable drives by forcing Autorun to be enabled:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoDriveTypeAutoRun"
With data: "145"

Spreads via...

Removable drives

Worm variants of the family drop copies of themselves in all removable drives with the name setup.exe. It might also overwrite any EXE file found in these removable drives. See the Ransom:MSIL/Crilock.A description for more information on these variants.

Payload

Prevents you from accessing your desktop

As part of its payload, some variants of the family display a full-screen webpage that covers all other windows, rendering your PC unusable. The warning asks you to pay a fee in order to receive a randomly-generated key that will "unlock" your files and regain access to your PC.

The ransomware displays a countdown clock counting down from 72 hours, and gives you the following payment options to pay the "fine":

Bitcoin
cashU
MoneyPak
paysafecard
Ukash

Note that the key that "unlocks" your PC is unique; you will not be able to use anyone else's key.

The following are some examples of the lock screen warning messages that Crilock displays:

Bitcoin payment

MoneyPak payment

Paysafecard payment

Ukash payment

Depending on the variant of Crilock, you may be requested to pay the fee or see a message about the fee such as the following:

Encrypts files

The ransomware encrypts files on your PC that it finds when searching fixed and remote drives, to prevent you accessing them. In the wild, the malware has been observed using RSA and AES algorithms for this purpose.

It also drops an .html or .txt file that contain instructions on how to pay the fine in all folders where it encrypts files.

Crilock encrypts files it finds in fixed and remote drives with the following extensions:

.3fr
.accdb
.ai
.arw
.bay
.cdr
.cer
.cr2
.crt
.crw
.dbf
.dcr
.der
.dng
.doc
.docm
.docx
.dwg
.dxf
.dxg
.eps
.erf
img_*.jpg
.indd
.jpe
.jpg
.kdc
.mdb
.mdf
.mef
.mp3
.mp4
.mrw
.nef
.nrw
.odb
.odc

.odm
.odp
.ods
.odt
.orf
.p12
.p7b
.p7c
.pdd
.pef
.pem
.pfx
.ppt
.pptm
.pptx
.psd
.pst
.ptx
.r3d
.raf
.raw
.rtf
.rw2
.rwl
.sr2
.srf
.srw
.wb2
.wpd
.wps
.x3f
.xlk
.xls
.xlsb
.xlsm
.xlsx

Some variants will avoid encrypting files with the following extensions or in folders that have the following names:

Extensions:
avi bat bmp chm cmd dll exe gif ico inf ini	lnk log manifest mp4 msi png scr sys tmp txt wav
Folder paths:
%APPDATA% %ProgramData% $recycle.bin %TEMP% %windir% (the default Windows directory) Folders that contain the name cache

Contacts servers

We've seen the ransomware contacting a server, possibly for the following reasons:

To download the key it uses to encrypt files
To update the malware version
To disable the shutdown of your PC
To issue a denial of service attack
To get information about your PC

We have seen variants of Crilock try to contact the following servers:

184.164.136.134
blcusrwmwsce.ru
cqatmhkbawod.co.uk
controlaccess.ru
duhjqmogmwfc.com
eafikccupbrb.biz
nhbgpmbhfclx.biz
omyfjcovigxw.org
pqgunhsbugov.info
qvethwgpxkbu.net
strathmorej.byethost3.com
strathmorej.coolpage.biz
vajgqwtrpgjn.ru
wfhfkmhgskvm.co.uk
wpkhlcnfhldx.org
xjouorllfkml.com
xuigfrbtkppw.info
yypvjwfywpgv.net

Analysis by Marianne Mallen

Prevention

Take these steps to help prevent infection on your PC.