New crypto malware that pretends to be the FBI encrypts data files and requires  BitCoin ransom !!!

The TG Soft's C.R.A.M. have found new types of CryptoMalware attacks that spread by exploiting not only fake email but also Trojan-downloader...

The TG Soft's C.R.A.M. has identified a new cryptomalware family, called CryptoFBI.

This cryptomalware encrypts text and data files (such as .txt, .log, doc, .pdf, .mdb etc.) keeping the last modified date equal to that of the original file and does not add any extension unlike what happens for most cryptomalware currently known.

To encrypt files, in this case, it is asked for a ransom in BitCoin.


==> How CryptoFBI manifests

==> The ransom demanded by CryptoFBI

==> How to protect yourself from CryptoFBI

==> What to do to mitigate the damage from CryptoFBI

==> Can I restore the encrypted files?

==> Final thoughts

How CryptoFBI manifests

The CryptoFBI is downloaded and run on your PC via a malware belonging to the family Trojan.Win32.Sathurbot.
Il Trojan.Win32.Sathurbot is loaded when the computer starts by grabbing the Windows shell, and more precisely using the registry key:


where {stringCLSID} matches to the key:


in its interior it contains the sub-key "InprocServer32" where the path of the .DLL file is present containing the Trojan.Win32.Sathurbot


The Trojan.Win32.Sathurbot performs tasks downloader, by downloading other malware and allowing their execution in stealth mode (invisible / hidden)

Usually the infection is carried from some vulnerabilities in:
  • Java;
  • Flash Player;
  • Adobe Reader;
that is activated when browsing the compromised websites.

The CryptoFBI file is saved in the user's temp folder (%TEMP%).

Examples of the CryptoFBI files collected from C.R.A.M. are shown in the list below to the left.

On the right image, however, you can see on the windows task manager how the cryptomalware's screen presents while it is active: the window is called "FBI WARNING".
  • FILE NAME: ABDB.tmp.exe
  • SIZE: 195584 byte
  • MD5: 187DC47FB1455B3B47E5913DFE8D03E1
  • FILE NAME: 1627.tmp.exe
  • SIZE: 168960 byte
  • MD5: 32219BB4A2F998364B120598FAF7929B
  • FILE NAME: 321.tmp.exe
  • SIZE: 160256 byte
  • MD5: 45812BED1F5CAB8E30968AEE64A2D425
  • FILE NAME: C3C3.tmp.exe
  • SIZE: 192000 byte
  • MD5: 5BD91CB7BD1768D61A1AEE960097C022
  • FILE NAME: 365F.tmp.exe
  • SIZE: 136192 byte
  • MD5: 9CCD5A0FAB7F9DCC27E6685E310B9CCA

Click to enlarge

Back to top

The ransom demanded by CryptoFBI

Files that are encrypted by CryptoFBI to be encrypted require a payment in BitCoin.
To obtain the information about the payment of the ransom you need to consult the files generated by cryptomalware, as indicated below:
  • 4-19-2016-INFECCIONI.TXT
  • 41920160000000.KEYHOLE
In the instruction file for the payment of the ransom is indicated to contact the blackmailers or by email at: momsbestfriend@protonmail.comtorrenttracker@india.com or using the BitMessagemessaging program.
In the information mesaage are also indicated your own infection ID and the name of the infected PC.

Click to enlarge

Click to enlarge

Back to top

How to protect yourself from CryptoFBI

As already reported, the Vir.IT eXplorer PRO's Anti-CryptoMalware technology when properly installed, configured, updated and used, has held up very well to these attacks managing to save the encryption up to 99.63% of the files and allowing the recovery of encrypted files in the initial phase of the attack up to 100% thanks to the integrated BackUp technologies:
  • BackUp-On-The-Fly;
  • Vir.IT Backup.

Assuming the correct:

  • UPDATE of both the signatures and the engine;
  • CONFIGURATION in particular of the resident shield Vir.IT Security Monitor with the "Anti-Crypto Malware Protection" flagged from the options window in real time, as well as Vir.IT BackUp activated, an advanced backup that allows you to have a copy of your work files preserved from encryption from which to proceed to recovery.

Back to top

What to do to mitigate the damage from CryptoFBI

When the Alert screen on the side appears means that the Vir.IT eXplorer PRO's Anti-CryptoMalware integrated protection  is acting and so, avoiding getting caught by the "panic" NOT close the window and perform the steps that are indicated:

  1. Make sure that Vir.IT eXplorer PRO is UP-TO-DATE;
  2. UNPLUG ETHERNET and/or EVERY NETWORK CABLE - by doing this, the computer will be phisically isolated from the network, thus containing the attack inside just one machine.
  3. PERFORM a FULL SCAN using Vir.IT eXplorer PRO.
  4. DO NOT REBOOT OR TURN OFF THE COMPUTER in order to avoid further encryption, as stated before.
In case of cryptomalware attack you should get in touch with Vir.IT eXplorer PRO's Tech Support as soon as possible. You can write an email to assistenza@viritpro.com, or call +39 049 631748 - +39 049 632750, Mon-Fri 8:30-12:30 and 14:30-18:30.
Videata protezione Anti-CryptoMalware integrata in Vir.IT eXporer PRO
Click to enlarge

Average percentage Expectation of protected files from encryption thanks to Vir.IT eXplore PRO's Anti-CryptoMalware protection ==> Check the information

Can I restore the encrypted files?

With the Anti-Crypto Malware protection integrated in VirIT, the number of encrypted files by CryptoCrypt will be at most a few dozen.

The "sacrificed" files during the mitigation must be replaced with a backup copy.

In the analyzed cases by the TG Soft's C.R.A.M., it was possible to recover files by using the shadow copies of the days preceding the attack.

Back to top

Final thoughts

If you opened an infected attachment and has been started the encryption, you could:
  1. you have Vir.IT eXplorer PRO installed, correctly set up, up-to-date and running on your pc - in this case, you must follow the instructions on the Alert message and you will manage to save AT LEAST 99.63% of your data;;
  2. you have a AntiVirus software that DOESN'T DETECT, signal and halt the ongoing encryption - in this case you still could do
    • LEAVE YOUR COMPUTER TURNED OFF - every time the computer is rebooted and the malware is still active, a new encryption key will be used and the amount of money demanded as ransom will increase (note that paying the ransom does not guarantee the decryption and is therefore highlynot recommended)
Either way, remain calm and do not panic.

TG Soft
Anti-Malware Research Center
Back to top
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: