Attackers Using CryptoWire Ransomware Abuse Scheduled Tasks to Continue

AhnLab security researchers have discovered the return of CryptoWire, a ransomware strain that was first widely used in 2018 and is mainly distributed through phishing emails. CryptoWire is constructed using the AutoIt scripting language. While retrieving encrypted files probably involves a difficult procedure, CryptoWire is said to have the decryption key within its code, in contrast to other ransomware.

Core Features of CryptoWire:

The ransomware first schedules tasks to remain active on the machine and installs itself in a common area (C:Program FilesCommon Files). It then searches the local network and associated devices for files to encrypt, potentially compromising the entire network.


A log file called “domaincheck.txt” is saved on the desktop and may include compromised system data. Encrypted files are renamed with the “.encrypted” extension.


To impede data recovery, ASEC claims that the malware erased shadow copies and emptied the recycle bin.

At last, a notice requesting money for decryption is shown in a ransomware fashion. The decryption key may be sent to the attacker's server by ransomware, or it may be included in the malware itself.

This approach is unusual because typically ransomware entails a difficult decryption procedure for consumers to be able to access their files again.


Users should be cautious when opening unexpected files and run suspicious files through the latest anti-malware software to prevent infection.

A Trojan downloader (Trojan/Win.Kryptik.C5576563) that may have downloaded additional malware was discovered on January 20, 2024, indicating that the system was compromised by several threats.

Ransomware (Ransomware/Win.bcdedit.C5590639) was discovered on February 20th, 2024, and it is believed to encrypt files and demand a fee to unlock them.

Furthermore, malicious activity compatible with ransomware execution (MDP.Ransom.M1171) was identified.

Two MD5 hashes (cd4a0b371cd7dc9dab6b442b0583550c & a410d4535409a379fbda5bb5c32f6c9c) that might be used to identify malicious files were found through a study of the Indicators of Compromise (IoCs).

As soon as possible, take action to remove this virus and secure the system. A C2 server address (hxxp://194.156.98[.]51/bot/log.php) was detected to presumably communicate with the malware to receive instructions or deliver stolen data.