{"id":49817,"date":"2023-03-17T16:35:32","date_gmt":"2023-03-17T15:35:32","guid":{"rendered":"https:\/\/ekiwi-blog.de\/49817\/encryption-trojans-and-their-consequences-all-files-encrypted-with-craa-extension\/"},"modified":"2023-03-17T16:35:34","modified_gmt":"2023-03-17T15:35:34","slug":"encryption-trojans-and-their-consequences-all-files-encrypted-with-craa-extension","status":"publish","type":"post","link":"https:\/\/ekiwi-blog.de\/en\/49817\/encryption-trojans-and-their-consequences-all-files-encrypted-with-craa-extension\/","title":{"rendered":"Encryption Trojans and their consequences: all files encrypted with CRAA extension"},"content":{"rendered":"<p>Encryption Trojans are still a big problem, a field report.<\/p>\n<p><!--more--><\/p>\n<p>Somewhat desperately, a customer called me this week, all the files on his computer have been given a new file extension. The files now have a .craa extension and can no longer be opened after testing software from the internet.<\/p>\n<p>It quickly became clear to me that an encryption Trojan was probably the cause, which a quick Google search also confirmed. The Djvu ransomware, which has been doing its thing for many years, is behind this. As soon as you have kicked the thing in, the software starts to encrypt the data in the background.<\/p>\n<p>Documents, text files, pictures and videos are affected.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_1.png\" alt=\"\" width=\"285\" height=\"175\" class=\"aligncenter size-full wp-image-49788\" \/><\/p>\n<p>In addition, the Trojan drops a &#8220;readme&#8221; file, which informs the victim accordingly and demands the money.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_2.png\" alt=\"\" width=\"826\" height=\"691\" class=\"aligncenter size-full wp-image-49792\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_2.png 826w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_2-300x251.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_2-768x642.png 768w\" sizes=\"auto, (max-width: 826px) 100vw, 826px\" \/><\/p>\n<p>In terms of price, the variant is aimed at private users. The price is just under 1000 dollars and there is a discount for the first 72 hours. One file can be decrypted free of charge as proof that the crooks do indeed have the key.<\/p>\n<p>We have not tested whether this works in practice. In any case, it is not a good idea to throw money at the fraudsters, so this should only be considered in exceptional cases. It is better to have a backup or a backup strategy. More on this later.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of content<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/ekiwi-blog.de\/en\/49817\/encryption-trojans-and-their-consequences-all-files-encrypted-with-craa-extension\/#Clean_up_your_computer\" >Clean up your computer<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/ekiwi-blog.de\/en\/49817\/encryption-trojans-and-their-consequences-all-files-encrypted-with-craa-extension\/#Decryption_with_tool\" >Decryption with tool<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/ekiwi-blog.de\/en\/49817\/encryption-trojans-and-their-consequences-all-files-encrypted-with-craa-extension\/#Links\" >Links<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/ekiwi-blog.de\/en\/49817\/encryption-trojans-and-their-consequences-all-files-encrypted-with-craa-extension\/#No_decryption_possible_What_now\" >No decryption possible? What now?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/ekiwi-blog.de\/en\/49817\/encryption-trojans-and-their-consequences-all-files-encrypted-with-craa-extension\/#Backup_strategy_for_home_users\" >Backup strategy for home users<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/ekiwi-blog.de\/en\/49817\/encryption-trojans-and-their-consequences-all-files-encrypted-with-craa-extension\/#Using_cloud_services\" >Using cloud services<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/ekiwi-blog.de\/en\/49817\/encryption-trojans-and-their-consequences-all-files-encrypted-with-craa-extension\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Clean_up_your_computer\"><\/span>Clean up your computer<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>As a first measure, the computer should be disconnected from the internet. Then the computer should be shut down. This may stop further encryption of files.<\/p>\n<p>USB hard drives should be disconnected from the computer. If a complete backup of the system is available, it can be restored.<\/p>\n<p>A clean-up is possible, but should be carried out without starting the operating system, e.g. with <a href=\"https:\/\/ekiwi-blog.de\/19303\/windows-virencheck-ohne-windows-boot-mit-windows-togo\/\" target=\"_blank\" rel=\"noopener\">Windows ToGo<\/a>.<\/p>\n<p>If it is not a backup, one should be created, e.g. also from Windows ToGo. The files should not be used directly, but only serve as further security, e.g. in case Windows is reinstalled.<\/p>\n<p>Reinstalling Windows is the safest option. If you have a backup of the data, this is the best way.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Decryption_with_tool\"><\/span>Decryption with tool<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>I had a few files sent to me. All text files. A look into the file shows the disaster. Nothing is readable here, everything is encrypted.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_3.png\" alt=\"\" width=\"905\" height=\"243\" class=\"aligncenter size-full wp-image-49796\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_3.png 905w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_3-300x81.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_3-768x206.png 768w\" sizes=\"auto, (max-width: 905px) 100vw, 905px\" \/><\/p>\n<p>There is some hope in the form of a decryption tool. However, this already dampens hope at the start.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_4.png\" alt=\"\" width=\"432\" height=\"293\" class=\"aligncenter size-full wp-image-49800\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_4.png 432w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_4-300x203.png 300w\" sizes=\"auto, (max-width: 432px) 100vw, 432px\" \/><\/p>\n<p>Decryption is currently only possible for old variants or for keys that are already known. In our case, it&#8217;s &#8220;bad luck&#8221;.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_5.png\" alt=\"\" width=\"635\" height=\"450\" class=\"aligncenter size-full wp-image-49804\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_5.png 635w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_5-300x213.png 300w\" sizes=\"auto, (max-width: 635px) 100vw, 635px\" \/><\/p>\n<p>Of course, the developers of the ransomware also know that these decryption programmes exist and adapt their software accordingly.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Links\"><\/span>Links<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><a href=\"https:\/\/decrypter.emsisoft.com\/submit\/stopdjvu\/\" target=\"_blank\" rel=\"noopener\">File comparison tool online<\/a><\/li>\n<li><a href=\"https:\/\/www.nomoreransom.org\/en\/decryption-tools.html\" target=\"_blank\" rel=\"noopener\">Decryption tools by Trojan<\/a><\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"No_decryption_possible_What_now\"><\/span>No decryption possible? What now?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>If decryption is not possible, the encrypted data should not be deleted. Archiving is a good idea here. This way, it is possible that the keys will become known at some point and the decryption tool can use them in the future.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_6.png\" alt=\"\" width=\"1185\" height=\"165\" class=\"aligncenter size-full wp-image-49808\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_6.png 1185w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_6-300x42.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_6-1024x143.png 1024w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_6-768x107.png 768w\" sizes=\"auto, (max-width: 1185px) 100vw, 1185px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Backup_strategy_for_home_users\"><\/span>Backup strategy for home users<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>How do private users take precautions? The answer is first and foremost backups. Ideally, we make regular backups to at least two USB hard drives. One of these should not always be connected to the computer, otherwise it will be encrypted at the same time.<\/p>\n<p>If we have a backup, we can restore the files after the infestation. Ideally, we should also make a <a href=\"https:\/\/ekiwi-blog.de\/23586\/windows-11-vollstaendiges-backup-image-erstellen-mit-minitool-shadowmaker\/\" target=\"_blank\" rel=\"noopener\">regular backup of our computer<\/a> so that we don&#8217;t have to clean it up, but can return to an earlier state.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Using_cloud_services\"><\/span>Using cloud services<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Another good option is to use cloud services, such as Microsoft OneDrive. The files are stored off-site on the servers of the respective provider. Again, the local files would be encrypted and then synchronised with the cloud service, but the cloud services store older versions of the files so they are recoverable. Many cloud services also detect when an encryption Trojan becomes active and block the changes.<\/p>\n<p>It is also possible to restore the old status of the cloud service.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_7.png\" alt=\"\" width=\"799\" height=\"283\" class=\"aligncenter size-full wp-image-49812\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_7.png 799w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_7-300x106.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/03\/virus_7-768x272.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><\/p>\n<p>As a general rule, it is advisable to use cloud and local backups in parallel.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In our case, things didn&#8217;t go particularly well. There was no backup and the files were encrypted for the time being. At least for the future, a backup strategy has now been developed.<\/p>","protected":false},"excerpt":{"rendered":"<p>Encryption Trojans are still a big problem, a field report.<\/p>\n","protected":false},"author":1,"featured_media":6541,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1552],"tags":[],"class_list":["post-49817","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet-en"],"_links":{"self":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/49817","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/comments?post=49817"}],"version-history":[{"count":0,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/49817\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media\/6541"}],"wp:attachment":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media?parent=49817"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/categories?post=49817"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/tags?post=49817"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}