Ransomware Wiki
Ransomware Wiki

Crypto Locker EU Ransomware Overview[]

Crypto Locker EU is a ransomware strain that originates from the original CryptoLocker malware family. From the initial security tests we can conclude that the virus has been crafted by an inexperienced developer. It follows a predefined pattern of placing affected files in the Crypto Locker EU and the AppData folders. They may be of different file types, including  .dat, .html, .exe, .lnk, .bmp, .txt.

The virus engine may also create several registry entries in the following key locations:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
  • HKEY_LOCAL_MACHIN\Software\Microsoft\Windows\CurrentVersion\Run\
  • HKEY_LOCAL_MACHIN\Software\Microsoft\Windows\CurrentVersion\RunOnce\

The affected encrypted data is renamed using the .send 0.3 BTC crypt.

Crypto Locker EU Ransomware Affected Extensions[]

7z .rar .m4a .wma .avi .wmv .csv .d3dbsp .sc2save .sie .sum .ibank .t13 .t12 .qdf .gdb .tax .pkpass .bc6 .bc7 .bkp .qic .bkf .sidn .sidd .mddata .itl .itdb .icxs .hvpl .hplg .hkdb .mdbackup .syncdb .gho .cas .svg .map .wmo .itm .sb .fos .mcgame .vdf .ztmp .sis .sid .ncf .menu .layout .dmp .blob .esm .001 .vtf .dazip .fpk .mlx .kf .iwd .vpk .tor .psk .rim .w3x .fsh .ntl .arch00 .lvl .snx .cfr .ff .vpp_pc .lrf .m2 .mcmeta .vfs0 .mpqge .kdb .db0 .DayZProfile .rofl .hkx .bar .upk .das .iwi .litemod .asset .forge .ltx .bsa .apk .re4 .sav .lbf .slm .bik .epk .rgss3a .pak .big .unity3d .wotreplay .xxx .desc .py .m3u .flv .js .css .rb .png .jpeg .txt .p7c .p7b .p12 .pfx .pem .crt .cer .der .x3f .srw .pef .ptx .r3d .rw2 .rwl .raw .raf .orf .nrw .mrwref .mef .erf .kdc .dcr .cr2 .crw .bay .sr2 .srf .arw .3fr .dng .jpe .jpg .cdr .indd .ai .eps .pdf .pdd .psd .dbfv .mdf .wb2 .rtf .wpd .dxg .xf .dwg .pst .accdb .mdb .pptm .pptx .ppt .xlk .xlsb .xlsm .xlsx .xls .wps .docm .docx .doc .odb .odc .odm .odp .ods .odt

Crypto Locker EU Ransomware Note[]

CryptoLockerEU 2016 rusia

Your important liles encryption produced on this computer:photos,videos,document,etc.
Encryption was produced using a RSA-2045bit !!
To Obtime the private key for this computer, which will automatically
decrypt files, you have to send 0.3 BTC to bitcoin adres 14bPTE6DVpx8Vrzk1wt3M8XsJ5YU3ebzKo
You will receive your private key + software within 2 hours.
You have just 7 days before the private key (password) is deleted
https://www.coinbase.com/buy-bitcoin
https://cex.io/buy-bitcoins
– transfer 0.3 BTC 14bPTE6DVpx8Vrzk1wt3M8XsJ5YU3ebzKo
VIRUS ID: {CUSTOM ID}
– on add email
– we send password + software decrypt (now)
– Messengers verification emal – Payments email (bitcoin)
Send : virus id+Bitcoin payment (verification)
decryptme.files@mail.ru
europol.eurofuck@yandex.com
super.decryptme2016@yandex.com

efwerez2015@yandex.com

Crypto Locker EU Ransomware Distribution[]

The actual ransomware binary may have a randomly-generated name. The CryptoLockerEU ransomware strain is distributed mainly via spam email messages

Crypto Locker EU Ransomware Removal[]

In-depth removal instructions and detailed technical information about the virus can be found on Best Security Search.