CryptoGod is a ransomware that is targeting Italian-speaking users

CryptoGod is a file encrypting malware based on the infamous HiddenTear open-source virus. Although it is based on the same ransomware, it is an entirely different virus that emerged in June 2018 (dubbed CryptoGod 2018). It uses the AES encryption algorithm to encrypt data and appends .locked file extension. The malware drops a ransom note LEGGIMI.txt into each of the affected folders and opens up a lock screen titled CryptoGod di Patrizio Napoli per esame di stato 2018. Just like many other ransomware viruses, this one asks victims to pay €300 for file release, although the payment must be processed in Paysafecard codes.
| SUMMARY | 2018 | 2017 |
| Name | CryptoGod | CryptoGod |
| Type | Ransomware | Ransomware |
| Based on | HiddenTear | HiddenTear |
| Versions | CryptoGod 2018 | CryptoGod 2017 |
| File extension | .locked | .payforunlock |
| Ransom payment | €300 in Paysafecard codes | 0.03 to 0.05 BTC |
| Detection and elimination | Use FortectIntego or MalwarebytesMalwarebytes | |
The crypto-malware targets Italian-speaking users, as the ransom note is written in Italian. Additionally, the cybercrooks present themselves as Patrizio Napoli, hinting at the developers being from a famous town Naples. Some security researchers believe that the virus was created as a school project, as the ransom window's name stands for CryptoGod by Patrizio Napoli for state exam 2018.
CryptoGod 2018 virus shows the following text in Italian:
I already encrypted your files, so you CAN NOT get access to them. Every hour I will select one of them and delete it permanently, after 24 hours I will remove them all, therefore I will not be able to recover them.
I'm the only one who can decrypt your data.
NOW, LOOK AT YOUR FILES, YOU CAN NOT decrypt them without paying.
To return the files, the amount that must be paid comprises of 300 EURO in the PAYSAFECARD codes.
You can directly enter your PAYSAFECARD CODES, NAME OF YOUR COMPUTER AND YOUR EMAIL ADDRESS BELOW TO SEND CODE and decrypt files.
As evident, hackers are scaring users into paying €300; otherwise they will permanently delete the decryption key for all personal files. Nevertheless, we advise users not to contact cybercriminals and restore files from a back-up or using third-party software. Before that, victims should complete CryptoGod removal, as the data will be encrypted again otherwise.
This ransomware can run Crypto.God.exe process in the background, and certain AV engines may fail to recognize it. So, make sure you select a reputable anti-malware tool. We suggest using FortectIntego or MalwarebytesMalwarebytes
CryptoGod strikes as the imitation of MoWare virus
CryptoGod ransomware functions as a file-encrypting threat created on the basis of MoWare H.F.D crypto-malware. The latter is modeled according to HiddenTear virus. For IT specialists, the story of both threats is quite intriguing.
After the threat had emerged, a crook under the name of Mohammed Raad[1] was spotted bragging about the obtained copy of the mentioned virus. Regarding his posts on the social networks, he disclosed his intentions to modify the original code and release its unique version of the malware.

Thus, the developer of the current malware seemed to pick up the habit. He took the code of MoWare and launched CryptoGod malware. After occupying the device, the virus appends .payforunlock file extension. Regarding its software, it reveals that the felon failed to develop the malware to its final stage. Bugs in the programming code result in visual errors.
The very name, “Crypto God,” refers to the black metal Indonesian band. Thus, it may suggest the identity of the culprit. However, its executable, Ricevuta 25-05-2017.exe,[2] denies such theory or indicates that the hacker knows Italian as well. If you have been struck by the malware, make a rush to remove CryptoGod.
The malware follows the manner of previously indicated threat. The incorporated clock counts the time to urge the user to pay 0.03 bitcoins which amount for ≈83 dollars. If a victim fails to remit the payment before the time expires, the amount increases up to 0.05 bitcoins.
As common for HiddenTear-based viruses, the cyber criminal instructs users to buy bitcoin, transfer them to the indicated address. Finally, they should contact the developer via cryptogod@airmail.cc. Since the software includes source code bugs, it is not recommended to remit the payment as the probability to retrieve your valuable encrypted files is quite low. Instead, make haste to perform CryptoGod removal.
Ways users infect their computers with ransomware-type viruses
Despite the very popular belief that the viruses simply enter machines by themselves, it is not true at all. Unfortunately, victims are typically at fault, being it carelessness or simple unawareness. Therefore, it is vital to learn how ransomware is distributed and ways that it can get into your PC.
Security experts[3] advise users to follow these simple precaution steps:
- Backup your files regularly;
- Employ a reputable anti-malware solution with real-time protection function;
- Do not open attachments or click on links in spam emails – this is the most prominent ransomware distribution method;
- Make sure your RDP is protected with a strong password;
- Avoid visiting dubious file-sharing or other suspicious websites;
- Patch your operating system and software immediately after updates are released;
- Every executable can be malware – scan it before opening.

Eliminate CryptoGod ransomware and proceed to data recovery
Though every crypto-malware differs in complexity and behavior, it is crucial to eliminate it. Note that all ransomware developers warn users not to delete the ransomware in order to save your files. This malware applies the same technique.
However, ignore these warnings and start CryptoGod removal. For that purpose, you might make use of FortectIntego or MalwarebytesMalwarebytes. Note that these tools do not decrypt files. After you remove CryptoGod permanently, take a look at the bonus data recovery guidelines displayed at the bottom of the page.
Was this guide helpful?
Be the first to comment