Microsoft Warns of Crowti Ransomware

Researchers with Microsoft have spotted a spike in Crowti, a ransomware similar to Cryptolocker that encrypts files on victims’ machines and then asks for payment to unlock them.

Researchers with Microsoft have spotted a spike in Crowti, a ransomware similar to Cryptolocker that encrypts files on victims’ machines and then asks for payment to unlock them.

The malware has existed for several months but it wasn’t until mid-October that Microsoft’s Malware Protection Center noticed its biggest swell to date. The campaign infected 4000 different systems at its peak, with the bulk of those, 71 percent, confined to machines in the United States.


Similar to CryptoWall, a fairly recent Cryptolocker variant, Crowti uses a valid digital signature to appear legitimate and then, once installed, demands users pay in Bitcoin to purportedly decrypt their files.

Like most ransomware campaigns, Crowti relies on several methods of infection.

Primarily it’s being launched via .ZIP files that come as an attachment in spam emails. Microsoft has discovered a handful of generically titled attachments – VOICE, IncomingFax, document, Complaint_IRS_id, etc. – all designed to dupe users into clicking and installing the malware.

Researchers have also seen Crowti propagating via popular exploit kits like Nuclear, RIG and RedKit V2, exploiting old and out-of-date versions of Adobe Flash and Oracle Java.

Most of the exploits being used to spread Crowti have long since been patched. Adobe remedied CVE-2014-0556 just last month and 2014-0515 in April while Oracle pushed an update to address the Java issue, CVE-2012-0507, way back in February 2012 but that hasn’t stopped attackers from targeting depreciated apps running on those systems.

Crowti has also made its way onto systems alongside other types of malware, including Upatre, Zbot and Zemot, according to Microsoft, who warned of the ransomware in a blog entry on Tuesday.


While Crowti shares several traits with other types of ransomware, it’s even borrowing their names as well. In some cases Microsoft claims the malware is branding itself as CryptoWall or CryptoDefense when it informs victims their information has been encrypted. Like CryptoWall and its variants, Crowti eventually directs its victims to a Tor page and gives them instructions on how to purchase Bitcoin to unlock their information.

The similarities don’t end there.

Much like how Barracuda Labs discovered a CryptoWall variant with a valid digital signature last month, Microsoft stumbled upon a sample of Crowti at the end of September that was also being distributed with a seemingly legitimate certificate.

That certificate—since revoked, like the CryptoWall variant, was issued by Comodo yet researchers claim they’ve seen instances of the ransomware using a certificate from The Nielsen Company as well.

Suggested articles


  • Jim Harrison on

    "targeting depreciated apps" - the term is "deprecated".
    • Anonymous on

      He probably means they are old enough to have been written off, in accounting terms. :-)
      • Steve Combs on

        ...or deappreciated - which doesn't come up in my spell checker but would be a step above disrespected. (Sorry, I couldn't resist.)
  • LIam O'Connor on

    Nicce read.
  • Steve Combs on

    I've been concerned for some time that a single corrupt user PC with a mapped drive could destroy an entire corporate file share. Even with recent valid backups, this would be a nightmare. Is this fear valid?
  • Tony Armas on

    Steve, Your fears are legitimit, read this recent article on how a fir m had their servers encrypted.
  • Old Bull Lee on

    Steve - yes, it has happened.
  • JM on

    We had several network shares destroyed. Luckily we had offsite backups.
  • foo32 on

    One more reason to stop using Windows.
    • Dave on

      Actually f0032, one more reason to educate people.
  • Ed on

    My home desktop got infected with ransomeware. It sprayed the following files all around HELP_DECRYPT.PNG and HELP_DECRYPT (something else). McAfee was ineffective in either preventing or removing the malware. Downloaded MSE. It identified WIN32:crowti.A and eliminated it. This is a real threat for sure.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.