Martijn Lammerts
My own digital place with a little of everything

MSRT July 2015: Crowti

14 July 2015
In our ongoing effort to provide malware protection, we are adding the following detections to the Microsoft Malicious Software Removal Tool (MSRT) this month:

Crowti, a file encryption threat, is one of the top prevalent ransomware families. We have recently seen it sent as a spam email attachment with formats similar to those shown below:

Figure 1:  Email spam samples delivering Crowti as an attachment

As well as using spam emails as the entry point or infection vector, Crowti can also be downloaded by exploit kits (for example, Axpergle – popularly known as the Angler exploit kit), and bundled with other malware (for example Win32/Fareit and Win32/Fleercivet).

Figures 2 and 3 show the prevalence and location of Crowti malware infections during the past two months:

Figure 2: Crowti unique machine infections

Figure 3:  Top countries affected by Crowti

MSRT cleanup for Crowti will remove executable files and registry entries related to the malware. It will also restore the default system settings. There is more information about the Crowti malware family at the following links:

As we have mentioned in our previous blog, The dangers of opening suspicious emails: Crowti ransomware, there are no guarantees that paying the ransom will give you access to your files or restore your PC to its pre-infection state. Paying the ransom is not encouraged. If your PC is already infected you might be able to recover your files.

You can take these security precautions to help prevent ransomware attacks in both consumer and enterprise machines:

Marianne Mallen