NetFort Tips & Tricks - How to detect HOWDECRYPT\Cryptorbit activity on your network

  • 1
  • Idea
  • Updated 4 years ago
CryptorBit and HOWDECRYPT are a new type of ransomware program. They target all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. When infected, this ransomware will scan your computer and encrypt any data file it finds regardless of the file type or extension. When they encrypt a file, they will also create a HowDecrypt.txt file and a HowDecrypt.gif in every folder that a file was encrypted. The GIF and TXT files will contain instructions on how to access a payment site that can be used to send in the ransom. This payment site is located on the Tor network and you can only make the payment in Bitcoins.

A customer recently contacted where they were hit with the Cryptorbit virus. They had several users that clicked on the attachment in a email and had their files and shares encrypted. Luckily, they were able to restore all the files on the shares from backups. They successfully used LANGuardian logs for analysis and found that all the infected machines tried to make outbound connections to This IP address which is registered in Russia was then used to send commands to and from the infected hosts. 

If you would like to find out how to detect HOWDECRYPT\Cryptobit activity on your network with LANGuardian, see Darragh Delaney’s recent video.
If you have questions about how LANGuardian can help you eliminate viruses from your network, or indeed any other aspect of using LANGuardian, please contact us on any time.
Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 386 Posts
  • 8 Reply Likes

Posted 4 years ago

  • 1

Be the first to post a reply!