The CryptoSpider Ransomware is yet another HiddenTear variant, which appears to still be in development. The sample of the CryptoSpider Ransomware was spotted on a popular online virus scanning service, and some of the interesting facts about this variant are that it does not deliver a ransom message to its victims currently. In addition to this, it does not store the decryption key anywhere because it uses ‘example.com’ as its Command & Control (C&C) server. However, this domain is not owned by anyone so that it is impossible for the CryptoSpider Ransomware to establish a connection with it. Despite not storing the decryption key, the CryptoSpider Ransomware is still able to cause damage by encrypting the contents of various files, and then appending the ‘.Cspider’ extension to the end of their names (e.g. ‘document.xlsx’ will be renamed to ‘document.xlsx.Cspider’).
Despite not delivering a ransom message, the CryptoSpider Ransomware will replace the user’s wallpaper with a custom image, which contains an image of a cat accompanied by the text ‘HACKED BY ./Mr.Gh0s7_C47.’ The e-mail address that should be used for contact is not present in any of the files brought by the CryptoSpider Ransomware, but cyber security experts managed to extract the data from the Trojan’s source code and revealed that the attacker uses [email protected] for contact.
The authors of the CryptoSpider Ransomware are unable to restore the files of their victims because the key needed for this is not saved anywhere. Thankfully, victims of the CryptoSpider Ransomware will not lose their files forever, because they can take advantage of a free HiddenTear decryption utility to get their data back. However, it is important to remember that file recovery operations should only be performed after you’ve set up the necessary measures to ensure the full removal of the file locker.