Cryptbit Ransomware

Cryptbit ransomware is a strain of file-encrypting malware that scrambles the data inside files on the targeted system, rendering them unreadable.

Once Cryptbit is deployed on a system, it will start encrypting files almost immediately. Before it gets to encrypting, the ransomware would first set up a form of persistence through Windows registry edits, making sure the encryption process runs every time the system is booted up. Shadow volume copies are also deleted. Once this initial setup is finished, Cryptbit gets to work, scrambling file contents.

Files already encrypted by the ransomware receive the ".cryptbit" extension appended to them.

The ransomware will encrypt almost every file that is not essential to system operation, including popular media, archive and document file types, as well as database files. Once encryption completes, the Cryptbit ransomware drops its ransom demands inside a plain text file called "CryptBIT-restore-files.txt"

The note contains contact details and the expected payment in Bitcoin. Of course, there is no way to know if the hackers operating the malware will ever send a decryption tool. It is never a good idea to deal with cyber criminals and the best solution for restoring affected files remains using offline backups and remote storage.

May 20, 2022