Strictor Ransomware

We want to inform you about a new malicious program that you have to remove as quickly as possible if your PC has become infected with it. It is called Strictor Ransomware, and it is a Trojan-type malware developed to encrypt indiscriminately all file types located on your computer’s Documents folder and demand that you pay a ransom for the decryption key. From the outset, we want you to know that the criminals behind this ransomware will not provide you with the necessary decrypter because its download simply does not work and perhaps it was never intended to do so. Strictor Ransomware is used to extort money from desperate users who justify the cost of getting their precious files back. However, this malware’s owners might not hold their end of the bargain. So please continue reading if you want to know more about this ransomware.

To our knowledge, this ransomware is distributed via malicious installers that drop Strictor Ransomware’s payload which includes what seems to be a PDF file, but, in reality, it is an executable which scans the computer for files to encrypt. In the case of the sample we have obtained and tested, this PDF file was named Bank_Account_Summary.exe. We have received information saying that this file is distributed via email spam containing a malicious attachment dropping this ransomware on your PC.

Once on your computer, Strictor will scan the Documents folder and indiscriminately encrypt all files regardless of file type. The sample we have obtained encrypted files only in the user Documents folder which is odd since most ransomware encrypt all files that are not vital to running the operating system. It adds the .locked extension to every encrypted file. We have found that it uses the AES-256 encryption algorithm. AES-256 is a strong cipher that you cannot decrypt without the decryption key.

After the encryption is complete, Strictor Ransomware will send an HTTP packet to its command and control (C&C) server at 202.181.194.227 (URL: http://202.181.194.227/cryptowall/ransom.php?DGCMP=TESTBED&DGMAC=94DE80ECFCE5&DGPASS=dPCEY8CsuY) located in Hong Kong. This packet contains computer information, such as DGCMP, DGMAC and DGPASS. In theory, you have to enter your first and last name, email address and the Bitcoin transaction ID at http://202.181.194.227/cryptowall to get the decrypter. However, as we have mentioned earlier, it does not work in practice. If you cannot connect to this ransomware’s server, then a window will appear with a message which states “Are you trying to fool me? Connect me to the Internet;),” and this message will constantly appear if it cannot connect to the web.

Furthermore, it will generate a file named WindowsUpdate.locked. This file contains a message stating that your files have been encrypted, and you have to pay $500 USD for the decrypter to get your files back. The 500 dollars have to be sent using Bitcoins. Also, it utilizes scare tactics, such as stating that if you do not pay the required 500 dollars, then the ransom will increase twofold, and you will have to pay $1000 USD. Its executable, Bank_Account_Summary.exe, will run each time you boot up your computer and probably encrypt any files that you have since added to your Documents folder.

Strictor Ransomware’s server is set to provide you with a unique decryption key and a decryption tool. You can get the decryption key only after paying the ransom, but the decryption key is free and yet currently it is unavailable. Take note that the WindowsUpdate.locked file contains a 10-digit password which is unique to every user and, in theory, if you get the decryption key from someone else who got it from this ransomware’s developers you can enter the decryption key and password into the decryption tool and your files should be decrypted.

However, since you cannot get the decryption key due to technical issues and the chance of getting the decryption key is slim, we do not recommend that you pay the hefty ransom. We suggest that you wait until someone finds a way to crack the encryption or just remove Strictor Ransomware and be done with it. However, the encrypted files will remain inaccessible, but if they are not of huge importance or if you have backups on other storage media, then we recommend that you use SpyHunter or our manual removal guide to delete this infection in its entirety. Note that our guide is not guaranteed to work under all circumstances since Bank_Account_Summary.exe can be located anywhere and its name can also vary, so please that that into consideration.

Manual removal

1. Locate Bank_Account_Summary.exe (the file can be named differently.)
2. Right-click on it and click Delete.
3. Then, go to Documents/My Documents and find WindowsUpdate.locked.
4. Right-click on it and click Delete, and then empty the Recycle Bin.

Automatic removal

1. Launch your web browser
2. Go to http://www.pcthreat.com/download-sph
3. Download SpyHunter.
4. Follow the installation instructions.
5. Run the program.
6. Perform a full system scan.
7. Click Fix Threats.