CrypBits256 Ransomware Uses Ransom Note in Portuguese

During our routine examination of new malware samples, our team of researchers came across the CrypBits256 ransomware. CrypBits256 is part of the Xorist ransomware family and operates by encrypting data and demanding a ransom for its decryption.

When CrypBits256 was launched on our test machine, it started encrypting files and adding the ".CrypBits256PT2" extension to their original filenames. For instance, a file named "1.jpg" would become "1.jpg.CrypBits256PT2", while "2.png" would become "2.png.CrypBits256PT2", and so on.

Once the encryption process was complete, CrypBits256 created two identical ransom notes: one in the form of a pop-up window and the other as a text file called "HOW TO DECRYPT FILES.txt." The message was written in Portuguese.

Upon translation, the ransom note explains to victims that their files and backups have been encrypted, and they can only recover them with a decryption key and software. This key and software can be obtained by paying an unspecified ransom amount. The note also warns victims that any attempts to rename, modify the extension, or delete the encrypted files will result in permanent data loss.

CrypBits256 Ransom Note Written in Portuguese

The full text of the CrypBits256 ransom note reads as follows:

Todos Dados/Backups foram criptografados
a unica forma de obter os dados em seu perfeito estado é
entrar em contato no Email: auditorbit256@protonmail.com
e obter o decryptor+chave unica por um pequeno valor.
Dados em perfeito estado em até 1 hora
prazo para o contato 09/11/2022 12:00 ID-0004
(N = NÂO)

• N delete arquivos trancados
• N não renomeie os arquivos trancados
• N não altere a extensao dos arquivos trancados .CrypBits256
• N não poste esta mensagem em nenhum site
  nem denuncie pois podem bloquear este email.

How Can Ransomware Like CrypBits256 Infect Your System?

Ransomware like CrypBits256 can infect your system in several ways. Here are some of the most common methods used by ransomware attackers to distribute their malicious software:

Email phishing: One of the most common methods for spreading ransomware is through phishing emails. Attackers send emails that appear to be from a trusted source and contain links or attachments that, when clicked, download the ransomware onto the victim's computer.

Malicious websites: Ransomware can also be distributed through malicious websites that contain infected software or scripts. Attackers use social engineering tactics to lure victims to these websites and trick them into downloading and installing the ransomware.

Exploiting vulnerabilities: Ransomware attackers often exploit vulnerabilities in software or operating systems to gain access to a victim's computer. These vulnerabilities can be found in outdated software that has not been patched with the latest security updates.

Malvertising: Attackers can also use malicious advertising or malvertising to spread ransomware. They use fake advertisements that appear on legitimate websites to trick users into clicking on them, which downloads the ransomware onto their computer.

In summary, ransomware like CrypBits256 can infect your system through various methods, including email phishing, malicious websites, exploiting vulnerabilities, and malvertising. It is important to be vigilant and take precautionary measures such as using antivirus software, avoiding suspicious links or attachments, keeping software up to date, and regularly backing up important data to prevent ransomware attacks.