CryptoBit targets Windows OS and is distributed via the Rig exploit kit. Once a target system is infected, CryptoBit places a fake user-agent and fake referrer line in the HTTP traffic in order to masquerade as legitimate web traffic. After establishing contact with its C2 server, it encrypts files on the victim’s machine and then blocks the entire screen with an immovable ransom note. This note can be removed, however, after rebooting the system. Key files named HITLERSNASTYLITTLECRYPTEROMGWTFHELP.KEY23 have also been discovered on infected systems. The attacker behind the campaign requests victims send an email to multiple email addresses listed on the ransom note but no ransom demand amount is displayed.
- Palo Alto Networks provides more information about CryptoBit here.
- The NJCCIC is not currently aware of any decryption tools available for CryptoBit.