Incident Response, Malware, TDR

Windows trojan packs punch, downloads ransomware “Cribit”

Users infected with a Windows trojan may be in for another devious surprise – ransomware that encrypts computer files and demands Bitcoin payment to decode the data.

According to researchers at Trend Micro, the Windows trojan, called “Fareit,” is an information stealer that has been used to download other malware, like Zeus. Recently, however, analysts discovered that Fareit was being used to spread ransomware called “Cribit.”

In a Monday blog post, Rhena Inocencio, a threat response engineer at Trend Micro, said that two variants of Cribit had been identified by the firm. One, that encrypts files and uses an English message for ransom, and another delivering a “multilingual ransom note, with 10 languages included.”

Messages in English, French, Spanish, Chinese and Arabic are among the variations scamming users, Inocencio wrote.

In the ransom note, users are directed to a website on the Deep Web, which is accessible only through Tor.

Trend Micro found that 40 percent of Cribit victims were in the U.S., and that the variants, which demand $240 worth of Bitcoin, were detected as new iterations of malware, called "BitCrypt."

In a Wednesday email, Christopher Budd, threat communications manager at Trend Micro, told SCMagazine.com that, as is the case with other ransomware, like CryptoLocker, researchers “cannot say for certain that paying the bag guys will result in decrypting the files.”

“After all, cyber criminals are after one goal: to get a person's money,” Budd wrote. “Returning/decrypting a victim's files won't certainly be a priority or major concern for these people. Additionally, paying the ransom may encourage and help expand the operations of cyber criminals.”

To avoid infection or lessen the impact of ransomware threats, Trend Micro recommended that users avoid clicking embedded links in emails, which can contain malware, and to regularly update software as an added security layer. In addition, users should backup important documents, a Trend Micro FAQ page on ransomware suggested.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.