www.pcrisk.com Open in urlscan Pro
2606:4700:3108::ac42:2898  Public Scan

Form analysis
3 forms found in the DOM

POST index.php

<form action="index.php" method="post">
  <input style="border: 1px solid #a2a2a2; padding: 5px 5px 5px 15px; font-size: 90%; color: #4E4E4E; margin: 2px; display: inline; width: auto; height: auto; position: relative; top: auto; left: auto; cursor: auto; opacity: 1;"
    aria-label="Search this website" name="searchword" id="mod_search_mobile" maxlength="150" class="inputbox" type="text" size="34" value="Search.." onblur="if(this.value=='') this.value='Search..';"
    onfocus="if(this.value=='Search..') this.value='';">
  <input type="hidden" name="task" value="search">
  <input type="hidden" name="option" value="com_search">
  <input type="hidden" name="Itemid" value="1">
</form>

POST https://www.paypal.com/cgi-bin/webscr

<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
  <input type="hidden" value="_s-xclick" name="cmd">
  <input type="hidden" value="EA4EWNMHF7XZW" name="hosted_button_id">
  <input type="image" alt="PayPal - The safer, easier way to pay online!" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" name="submit">
  <img loading="lazy" alt="" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" height="1" width="1">
</form>

POST index.php

<form action="index.php" method="post">
  <div class="search" style="text-align:center;">
    <label for="mod_search_searchword" style="display: none;">Search..</label><input style="border: 1px solid #dbdbdb; padding: 5px 5px 5px 15px; width: 92%; font-size: 90%; color: #4E4E4E; margin: 2px;" name="searchword" id="mod_search_searchword"
      maxlength="150" alt="Search" class="inputbox" type="text" size="34" value="Search.." onblur="if(this.value=='') this.value='Search..';" onfocus="if(this.value=='Search..') this.value='';">
  </div>
  <input type="hidden" name="task" value="search">
  <input type="hidden" name="option" value="com_search">
  <input type="hidden" name="Itemid" value="57">
</form>

Text Content

 * Removal guides
 * News
 * Blog
 * Top Antivirus 2024
 * Website Scanner
 * About Us
 * Contact
 * 


 * Removal guides
 * News
 * Blog
 * Top Antivirus 2024
 * Website Scanner


Home > Removal guides >
FacebookTwitterLinkedIn


CREEPER RANSOMWARE

Also Known As: Creeper virus
Type: Ransomware
Damage level: Severe

Written by Tomas Meskauskas on November 30, 2021 (updated)

▼ REMOVE IT NOW Get free scan and check if your computer is infected.
To use full-featured product, you have to purchase a license for Combo Cleaner.
Seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt,
the parent company of PCRisk.com read more.
 * Description
 * Summary
 * Removal
 * Prevention


WHAT IS CREEPER?

Creeper is a ransomware-type virus first discovered by malware security
researcher, Michael Gillespie. Once infiltrated, Creeper encrypts stored files
and adds the ".creeper" extension to the name of each affected file. For
example, "sample.jpg" is renamed to "sample.jpg.creeper".

Following successful infiltration, Creeper places a text file
("DECRIPT_MY_FILES.txt") on the desktop. This file contains a ransom-demand
message.

The message informs victims of the encryption and states that files can only be
restored using a unique key. Unfortunately, this information is accurate. It is
currently unknown whether Creeper uses symmetric or asymmetric cryptography,
however, decryption requires a unique key generated individually for each
victim.

Unfortunately, cyber criminals hide these keys on a remote server and users are
encouraged to submit payments for their release. The cost depends on how quickly
victims submit payments, which must be paid in the Monero cryptocurrency (at
time of writing, one Monero coin was equivalent to ~$295). The ransom within
first two days is 3 Monero coins.

On the third day, the cost increases to 5 Monero coins. On the sixth day,
decryption keys are permanently deleted and file decryption becomes impossible.
Be aware, however, that cyber criminals can never be trusted. These people are
likely to ignore victims, once payments are submitted.

Therefore, paying typically gives no positive result and users are scammed. You
are advised to ignore all requests to pay any ransoms. There are currently no
tools capable of restoring files encrypted by Creeper. Therefore, restoring
everything from a backup is the only option.

Screenshot of a message encouraging users to pay a ransom to decrypt their
compromised data:



Creeper has very similar characteristics to HrHr, GANDCRAB, XiaoBa, SUSPENDED,
and dozens of other ransomware viruses. These viruses are developed by different
cyber criminals. Despite this, all have identical behavior and there are just
two major differences: 1) size of ransom, and; 2) type of encryption algorithm
used.

Unfortunately, research shows that most employ AES, RSA, or other algorithms
that generate unique decryption keys.

Therefore, file decryption manually, without involvement of developers
(contacting these people is not recommended) is impossible, unless the malware
is not fully developed or has certain bugs/flaws (e.g., the keys are hard-coded,
stored locally or similar).

Ransomware is one of the main reasons for keeping regular data backups.
Furthermore, keep backup files on a remote server (i.e., Cloud) or an unplugged
external storage. If not, the backups are encrypted as well.


HOW DID RANSOMWARE INFECT MY COMPUTER?

Ransomware-type viruses are often distributed using trojans, fake software
update tools, spam emails (infectious attachments), P2P (peer-to-peer) networks,
and other unofficial download sources. Trojans work very simply - in most cases
they open "backdoors" for other high-risk malware to infiltrate the system.

Fake software updaters infect the system by abusing outdated software bugs/flaws
or downloading/installing viruses rather than software updates. Infectious
attachments commonly come in the format of JavaScript files or MS Office
documents.

By opening these attachments, users execute scripts that download and install
viruses. P2P networks (torrents, eMule, etc.) and other third party download
sources (freeware download websites, free file hosting sites, and so on) present
malicious executables as legitimate software.

Therefore, many users are tricked into downloading and installing malware. In
summary, the main reasons for computer infections are poor knowledge and
careless behavior.

Threat Summary: Name Creeper virus Threat Type Ransomware, Crypto Virus, Files
locker Symptoms Can't open files stored on your computer, previously functional
files now have a different extension, for example my.docx.locked. A ransom
demanding message is displayed on your desktop. Cyber criminals are asking to
pay a ransom (usually in bitcoins) to unlock your files. Distribution methods
Infected email attachments (macros), torrent websites, malicious ads. Damage All
files are encrypted and cannot be opened without paying a ransom. Additional
password stealing trojans and malware infections can be installed together with
a ransomware infection. Malware Removal (Windows)

To eliminate possible malware infections, scan your computer with legitimate
antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner
To use full-featured product, you have to purchase a license for Combo Cleaner.
7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the
parent company of PCRisk.com read more.




HOW TO PROTECT YOURSELF FROM RANSOMWARE INFECTIONS?

To prevent ransomware infections, be very careful when browsing the Internet.
Files received from suspicious/unrecognizable emails should never be opened. In
fact, these emails should be deleted without reading. We strongly advise you to
download your applications from official sources only, using direct download
links.

Criminals monetize third party downloaders/installers by promoting dubious
programs. Therefore, these tools should never be used. Keep installed software
updated and use a legitimate anti-virus/anti-spyware suite, however, remember
that cyber criminals proliferate malware via fake updaters.

Therefore, you are strongly advised to use implemented update features or tools
provided by the official developer. Caution is the key to computer safety.

Text presented in Creeper ransomware text file ("DECRIPT_MY_FILES.txt"):

> Decrypting your files is easy. Take a deep breath and follow the steps below.
> 1 ) Make the proper payment.
> Payments are made in Monero. This is a crypto-currency, like bitcoin.
> You can buy Monero, and send it, from the same places you can any other
> crypto-currency. If you're still unsure, google 'monero exchange'.
> 
> Sign up at one of these exchange sites and send the payment to the address
> below.
> 
> Payment Address (Monero Wallet):
> 
> 46WDbj1YCQrCfAGW37AJi3Ljr86waWBP1GwoRCeAGcR49xtNvRWpVyXQsqWDxW4qaQ5SxnDB4VnJZRhNaYHuvkAdVaeLeMM
> 
> 2 ) Farther you should send the following code: [redacted hex] to email
> address skgrhk2018@tutanota.com.
> Then you will receive all necessary key.
> 
> Prices :
> Days : Monero : Offer Expires
> 0-2 : 3 : 03/01/18
> 3-5 : 5 : 03/04/18
> 
> Note: In 6 days your password decryption key gets permanently deleted.
> You then have no way to ever retrieve your files. So pay now.

Screenshot of files encrypted by Creeper (".creeper" extension):




CREEPER RANSOMWARE REMOVAL:

Instant automatic malware removal: Manual threat removal might be a lengthy and
complicated process that requires advanced IT skills. Combo Cleaner is a
professional automatic malware removal tool that is recommended to get rid of
malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you
agree to our Privacy Policy and Terms of Use. To use full-featured product, you
have to purchase a license for Combo Cleaner. 7 days free trial available. Combo
Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read
more.




VIDEO SUGGESTING WHAT STEPS SHOULD BE TAKEN IN CASE OF A RANSOMWARE INFECTION:



Quick menu:

 * What is Creeper virus?
 * STEP 1. Reporting ransomware to authorities.
 * STEP 2. Isolating the infected device.
 * STEP 3. Identifying the ransomware infection.
 * STEP 4. Searching for ransomware decryption tools.
 * STEP 5. Restoring files with data recovery tools.
 * STEP 6. Creating data backups.


REPORTING RANSOMWARE TO AUTHORITIES:

If you are a victim of a ransomware attack we recommend reporting this incident
to authorities. By providing information to law enforcement agencies you will
help track cybercrime and potentially assist in the prosecution of the
attackers. Here's a list of authorities where you should report a ransomware
attack. For the complete list of local cybersecurity centers and information on
why you should report ransomware attacks, read this article.

List of local authorities where ransomware attacks should be reported (choose
one depending on your residence address):

 *  USA - Internet Crime Complaint Centre IC3
 *  United Kingdom - Action Fraud
 *  Spain - Policía Nacional
 *  France - Ministère de l'Intérieur
 *  Germany - Polizei
 *  Italy - Polizia di Stato
 *  The Netherlands - Politie
 *  Poland - Policja
 *  Portugal - Polícia Judiciária


ISOLATING THE INFECTED DEVICE:

Some ransomware-type infections are designed to encrypt files within external
storage devices, infect them, and even spread throughout the entire local
network. For this reason, it is very important to isolate the infected device
(computer) as soon as possible.

Step 1: Disconnect from the internet.

The easiest way to disconnect a computer from the internet is to unplug the
Ethernet cable from the motherboard, however, some devices are connected via a
wireless network and for some users (especially those who are not particularly
tech-savvy), disconnecting cables may seem troublesome. Therefore, you can also
disconnect the system manually via Control Panel:

Navigate to the "Control Panel", click the search bar in the upper-right corner
of the screen, enter "Network and Sharing Center" and select search result:

Click the "Change adapter settings" option in the upper-left corner of the
window:

Right-click on each connection point and select "Disable". Once disabled, the
system will no longer be connected to the internet. To re-enable the connection
points, simply right-click again and select "Enable".

Step 2: Unplug all storage devices.

As mentioned above, ransomware might encrypt data and infiltrate all storage
devices that are connected to the computer. For this reason, all external
storage devices (flash drives, portable hard drives, etc.) should be
disconnected immediately, however, we strongly advise you to eject each device
before disconnecting to prevent data corruption:

Navigate to "My Computer", right-click on each connected device, and select
"Eject":

Step 3: Log-out of cloud storage accounts.

Some ransomware-type might be able to hijack software that handles data stored
within "the Cloud". Therefore, the data could be corrupted/encrypted. For this
reason, you should log-out of all cloud storage accounts within browsers and
other related software. You should also consider temporarily uninstalling the
cloud-management software until the infection is completely removed.


IDENTIFY THE RANSOMWARE INFECTION:

To properly handle an infection, one must first identify it. Some ransomware
infections use ransom-demand messages as an introduction (see the WALDO
ransomware text file below).



This, however, is rare. In most cases, ransomware infections deliver more direct
messages simply stating that data is encrypted and that victims must pay some
sort of ransom. Note that ransomware-type infections typically generate messages
with different file names (for example, "_readme.txt", "READ-ME.txt",
"DECRYPTION_INSTRUCTIONS.txt", "DECRYPT_FILES.html", etc.). Therefore, using the
name of a ransom message may seem like a good way to identify the infection. The
problem is that most of these names are generic and some infections use the same
names, even though the delivered messages are different and the infections
themselves are unrelated. Therefore, using the message filename alone can be
ineffective and even lead to permanent data loss (for example, by attempting to
decrypt data using tools designed for different ransomware infections, users are
likely to end up permanently damaging files and decryption will no longer be
possible even with the correct tool).

Another way to identify a ransomware infection is to check the file extension,
which is appended to each encrypted file. Ransomware infections are often named
by the extensions they append (see files encrypted by Qewe ransomware below).



This method is only effective, however, when the appended extension is unique -
many ransomware infections append a generic extension (for example,
".encrypted", ".enc", ".crypted", ".locked", etc.). In these cases, identifying
ransomware by its appended extension becomes impossible.

One of the easiest and quickest ways to identify a ransomware infection is to
use the ID Ransomware website. This service supports most existing ransomware
infections. Victims simply upload a ransom message and/or one encrypted file (we
advise you to upload both if possible).



The ransomware will be identified within seconds and you will be provided with
various details, such as the name of the malware family to which the infection
belongs, whether it is decryptable, and so on.

Example 1 (Qewe [Stop/Djvu] ransomware):



Example 2 (.iso [Phobos] ransomware):



If your data happens to be encrypted by ransomware that is not supported by ID
Ransomware, you can always try searching the internet by using certain keywords
(for example, a ransom message title, file extension, provided contact emails,
crypto wallet addresses, etc.).


SEARCH FOR RANSOMWARE DECRYPTION TOOLS:

Encryption algorithms used by most ransomware-type infections are extremely
sophisticated and, if the encryption is performed properly, only the developer
is capable of restoring data. This is because decryption requires a specific
key, which is generated during the encryption. Restoring data without the key is
impossible. In most cases, cybercriminals store keys on a remote server, rather
than using the infected machine as a host. Dharma (CrySis), Phobos, and other
families of high-end ransomware infections are virtually flawless, and thus
restoring data encrypted without the developers' involvement is simply
impossible. Despite this, there are dozens of ransomware-type infections that
are poorly developed and contain a number of flaws (for example, the use of
identical encryption/decryption keys for each victim, keys stored locally,
etc.). Therefore, always check for available decryption tools for any ransomware
that infiltrates your computer.

Finding the correct decryption tool on the internet can be very frustrating. For
this reason, we recommend that you use the No More Ransom Project and this is
where identifying the ransomware infection is useful. The No More Ransom Project
website contains a "Decryption Tools" section with a search bar. Enter the name
of the identified ransomware, and all available decryptors (if there are any)
will be listed.




RESTORE FILES WITH DATA RECOVERY TOOLS:

Depending on the situation (quality of ransomware infection, type of encryption
algorithm used, etc.), restoring data with certain third-party tools might be
possible. Therefore, we advise you to use the Recuva tool developed by CCleaner.
This tool supports over a thousand data types (graphics, video, audio,
documents, etc.) and it is very intuitive (little knowledge is necessary to
recover data). In addition, the recovery feature is completely free.

Step 1: Perform a scan.

Run the Recuva application and follow the wizard. You will be prompted with
several windows allowing you to choose what file types to look for, which
locations should be scanned, etc. All you need to do is select the options
you're looking for and start the scan. We advise you to enable the "Deep Scan"
before starting, otherwise, the application's scanning capabilities will be
restricted.



Wait for Recuva to complete the scan. The scanning duration depends on the
volume of files (both in quantity and size) that you are scanning (for example,
several hundred gigabytes could take over an hour to scan). Therefore, be
patient during the scanning process. We also advise against modifying or
deleting existing files, since this might interfere with the scan. If you add
additional data (for example, downloading files/content) while scanning, this
will prolong the process:



Step 2: Recover data.

Once the process is complete, select the folders/files you wish to restore and
simply click "Recover". Note that some free space on your storage drive is
necessary to restore data:




CREATE DATA BACKUPS:

Proper file management and creating backups is essential for data security.
Therefore, always be very careful and think ahead.

Partition management: We recommend that you store your data in multiple
partitions and avoid storing important files within the partition that contains
the entire operating system. If you fall into a situation whereby you cannot
boot the system and are forced to format the disk on which the operating system
is installed (in most cases, this is where malware infections hide), you will
lose all data stored within that drive. This is the advantage of having multiple
partitions: if you have the entire storage device assigned to a single
partition, you will be forced to delete everything, however, creating multiple
partitions and allocating the data properly allows you to prevent such problems.
You can easily format a single partition without affecting the others -
therefore, one will be cleaned and the others will remain untouched, and your
data will be saved. Managing partitions is quite simple and you can find all the
necessary information on Microsoft's documentation web page.

Data backups: One of the most reliable backup methods is to use an external
storage device and keep it unplugged. Copy your data to an external hard drive,
flash (thumb) drive, SSD, HDD, or any other storage device, unplug it and store
it in a dry place away from the sun and extreme temperatures. This method is,
however, quite inefficient, since data backups and updates need to be made
regularly. You can also use a cloud service or remote server. Here, an internet
connection is required and there is always the chance of a security breach,
although it's a really rare occasion.

We recommend using Microsoft OneDrive for backing up your files. OneDrive lets
you store your personal files and data in the cloud, sync files across computers
and mobile devices, allowing you to access and edit your files from all of your
Windows devices. OneDrive lets you save, share and preview files, access
download history, move, delete, and rename files, as well as create new folders,
and much more.

You can back up your most important folders and files on your PC (your Desktop,
Documents, and Pictures folders). Some of OneDrive’s more notable features
include file versioning, which keeps older versions of files for up to 30 days.
OneDrive features a recycling bin in which all of your deleted files are stored
for a limited time. Deleted files are not counted as part of the user’s
allocation.

The service is built using HTML5 technologies and allows you to upload files up
to 300 MB via drag and drop into the web browser or up to 10 GB via the OneDrive
desktop application. With OneDrive, you can download entire folders as a single
ZIP file with up to 10,000 files, although it can’t exceed 15 GB per single
download.

OneDrive comes with 5 GB of free storage out of the box, with an additional 100
GB, 1 TB, and 6 TB storage options available for a subscription-based fee. You
can get one of these storage plans by either purchasing additional storage
separately or with Office 365 subscription.

Creating a data backup:

The backup process is the same for all file types and folders. Here’s how you
can back up your files using Microsoft OneDrive

Step 1: Choose the files/folders you want to backup.



Click the OneDrive cloud icon to open the OneDrive menu. While in this menu, you
can customize your file backup settings.



Click Help & Settings and then select Settings from the drop-down menu.



Go to the Backup tab and click Manage backup.



In this menu, you can choose to backup the Desktop and all of the files on it,
and Documents and Pictures folders, again, with all of the files in them. Click
Start backup.

Now, when you add a file or folder in the Desktop and Documents and Pictures
folders, they will be automatically backed up on OneDrive.

To add folders and files, not in the locations shown above, you have to add them
manually.



Open File Explorer and navigate to the location of the folder/file you want to
backup. Select the item, right-click it, and click Copy.



Then, navigate to OneDrive, right-click anywhere in the window and click Paste.
Alternatively, you can just drag and drop a file into OneDrive. OneDrive will
automatically create a backup of the folder/file.



All of the files added to the OneDrive folder are backed up in the cloud
automatically. The green circle with the checkmark in it indicates that the file
is available both locally and on OneDrive and that the file version is the same
on both. The blue cloud icon indicates that the file has not been synced and is
available only on OneDrive. The sync icon indicates that the file is currently
syncing.



To access files only located on OneDrive online, go to the Help & Settings
drop-down menu and select View online.



Step 2: Restore corrupted files.

OneDrive makes sure that the files stay in sync, so the version of the file on
the computer is the same version on the cloud. However, if ransomware has
encrypted your files, you can take advantage of OneDrive’s Version history
feature that will allow you to restore the file versions prior to encryption.

Microsoft 365 has a ransomware detection feature that notifies you when your
OneDrive files have been attacked and guide you through the process of restoring
your files. It must be noted, however, that if you don’t have a paid Microsoft
365 subscription, you only get one detection and file recovery for free.

If your OneDrive files get deleted, corrupted, or infected by malware, you can
restore your entire OneDrive to a previous state. Here’s how you can restore
your entire OneDrive:



1. If you're signed in with a personal account, click the Settings cog at the
top of the page. Then, click Options and select Restore your OneDrive.

If you're signed in with a work or school account,  click the Settings cog at
the top of the page. Then, click Restore your OneDrive.

2. On the Restore your OneDrive page, select a date from the drop-down list.
Note that if you're restoring your files after automatic ransomware detection, a
restore date will be selected for you.

3. After configuring all of the file restoration options, click Restore to undo
all the activities you selected.

The best way to avoid damage from ransomware infections is to maintain regular
up-to-date backups.



▼ Show Discussion


Back To Top

ABOUT THE AUTHOR:



Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of
over 10 years working in various companies related to computer technical issue
solving and Internet security. I have been working as an author and editor for
pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about
the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security
researchers help educate computer users about the latest online security
threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can
send us a donation.


Search..
About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest
digital threats. Our content is provided by security experts and professional
malware researchers. Read more about us.

How to prevent against infection
 * How did ransomware infect my computer?
 * Preventing ransomware infections
 * Reporting ransomware to authorities
 * Data backup and recovery
 * How to use E-mail safely?

New Removal Guides
 * CYBRO Airdrop Scam
 * Maximum Mailbox Space Allowed Email Scam
 * NOT Coin Spin Reward Scam
 * COVID - Sick and Family Leave Act Email Scam
 * Blockchain.com - Verify Your Email Address Scam
 * Your Account Has Been Dormant Email Scam

Malware activity

Global malware activity level today:



Increased attack rate of infections detected within the last 24 hours.

Top Removal Guides
 * Arma dei Carabinieri Virus
 * SMSfromBrowser Toolbar
 * Aruba.it Email Scam
 * Go.myquery.net Redirect
 * VXUG Ransomware
 * Bing.com Redirect

QR Code
Scan this QR code to have an easy access removal guide of Creeper virus on your
mobile device.
We Recommend:

Get rid of Windows malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner

Platform: Windows

Editors' Rating for Combo Cleaner:
Outstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner.
7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the
parent company of PCRisk.com read more.





Copyright © 2007-2024 PCrisk.com. Any redistribution or reproduction of part or
all of the contents in any form is prohibited.

Privacy policy | Site Disclaimer | Terms of use | About us | Contact us | Search
this website

Twitter Facebook LinkedIn Youtube

This website uses cookies to ensure you get the best experience on our website.
Read our privacy policy

Got it!