CryptoRoger targets Windows OS and the method of distribution is currently unknown. Once executed, this variant encrypts targeted files using AES-256 and then stores the MD5 hash of the original, non-encrypted file, placing it in the %AppData%\files.txt file. Files encrypted by CryptoRoger are appended with the extension .crptrgr. It maintains persistence by placing a Virtual Basic script (.vbs) file in the Windows Startup folder and it will encrypt any new files created after the initial infection. The ransom note instructs victims to download and install uTox, a messaging client, and then contact the attacker using a specific uTox identifier. CryptoRoger demands a ransom payment of 0.5 Bitcoin and threatens to increase the amount several times if the victim does not “behave professionally.”
- Bleeping Computer provides more information about CryptoRoger here.
- The NJCCIC is not aware of any decryption tools available for CryptoRoger.