What is CryptoPokemon ransomware? And how does it implement its attack?
CryptoPokemon ransomware is a new strain of strain of ransomware that locks important files and demands a ransom payment of 0.02 Bitcoin which is approximately $104 at the time of writing. It was first discovered by IntezerLabs and according to security experts, it is a new variant of the PokemonGo ransomware.
After it invades a computer, CryptoPokemon will begin to implement its attack starting with a data harvesting module that is classified into two main categories. The first one is responsible for extracting data from the computer that could reveal the identity of the users by scanning the system for strings like phone number, address, email address, real name, stored account credentials, and many more while the second one is the information about the computer’s hardware. After the first module implemented, it then employs the second module, stealth protection where it uses the harvested information along with some malicious components in order to bypass any security programs installed in the computer.
Moreover, CryptoPokemon ransomware also modifies the Windows Registry so that it can run automatically every time a user turns on the computer. It also scans the computer for its targeted files and starts the encryption using a combination of SHA256 and AES128 encryption algorithms. Once the encryption process is completed, it appends the .CRYPTOPOKEMON extension to every encrypted file and then locks the screen. The locked screen contains the following ransom note:
“All files on your computer are encrypted. Files have the extension CRYPTOPOKEMON.
Do not try to decrypt the files yourself, this will only contribute to the loss of all your data on the computer.
To decrypt files, please transfer 0.0200000 BTC to 1Lx46kNYSXTRwMWBxhxxdW3nisJ61yfVoW
After you transfer money, write to email
[email protected] , saying this word “12356749412506806744”.
For advanced users:
After transferring money, go to http://cryptopokemon.top/ , and follow the instructions.
Your computer ID: 12356749412506806744
To enter the site, use the browser.
COPYRIGHT (c)2019 PokemonGO CRYPTOLOCKER pokemongo.icu”
If you visit the site indicated in the ransom note, you will see another kind of ransom note that states:
If you hit this site, then all files are encrypted on your computer.
You must be able to enter your computer ID.
You are a great user. If you don’t have enough money to pay, you can get a new computer 🙂
Well, if you are a lamer, then please write to
[email protected] and describe your problem. Our valiant support will help you solve this problem.
[GET MY DECRYPTOR]
(c) 2019 PokemonGo team”
How is the payload file of CryptoPokemon ransomware disseminated online?
The payload file of CryptoPokemon ransomware is disseminated via malicious spam email campaign. This method has been used by cyber crooks in launching massive spam email campaign against online users worldwide. In fact, crooks tend to disguise these malware-laden emails to make them seem legit and to lure users into opening them and downloading the infected attachment. This is why you need to check the content of the email first before you click on any link or download any attachment. And before you open any attachment, you have to scan it first to make sure that the file is safe to open.
Obliterate CryptoPokemon ransomware from your infected computer with the help of the instructions laid out below and the advanced guide that follows.
Step 1: First, boot your computer into Safe Mode with Networking and afterwards, you have to terminate the malicious processes of CryptoPokemon ransomware using the Task Manager and to open it, tap Ctrl + Shift + Esc keys.
Step 2: Go to the Processes tab and look for the malicious processes of CryptoPokemon ransomware like CryptoPokemon.exe and then right click on it and select End Process or End Task.
Step 3: Close the Task Manager and open Control Panel by pressing the Windows key + R, then type in “appwiz.cpl” and then click OK or press Enter.
Step 4: Look for dubious programs that might by related to CryptoPokemon ransomware and then Uninstall it/them.
Step 5: Close Control Panel and then tap Win + E to launch File Explorer.
Step 6: After opening File Explorer, navigate to the following directories below:
Step 7: From these directories, look for the malicious components of CryptoPokemon ransomware such as CryptoPokemon.exe, and [random].exe and then delete all of them
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 8: Close the File Explorer and tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the listed paths below and look for the registry keys and sub-keys created by CryptoPokemon ransomware.
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
Step 10: Delete the registry keys and sub-keys created by CryptoPokemon ransomware.
Step 11: Close the Registry Editor.
Step 12: Empty your Recycle Bin.
Try to recover your encrypted files using their Shadow Volume copies
You can restore the files encrypted by CryptoPokemon ransomware by downloading this free decrypter from Emisoft. On the other hand, you can also use another alternative method to recover them using the Previous Versions feature in Windows but keep in mind that this method will only work if the ransomware threat hasn’t deleted the shadow volume copies of your files.
To restore the encrypted file using Previous Versions, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Once you’re done executing the steps given above, you need to continue the removal process of CryptoPokemon ransomware using a reliable program like [product-name]. How? Follow the advanced removal steps below.
- Turn on your computer. If it’s already on, you have to reboot it.
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.
- After the scan is completed click the “Fix, Clean & Optimize Now” button.