Cry9 Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Ranking: | 14,636 |
| Threat Level: | 100 % (High) |
| Infected Computers: | 32 |
| First Seen: | April 5, 2017 |
| Last Seen: | July 11, 2023 |
| OS(es) Affected: | Windows |
The Cry9 Ransomware is a ransomware Trojan that seems to be a variant of a known ransomware Trojan named Crypton. This new version of this ransomware Trojan was released as the anti-virus programs started to recognize its previous iteration. The Cry9 Ransomware adds on to this previously known threat by adding obfuscation measures to prevent detection. Malware researchers suspect that the Cry9 Ransomware is being distributed through the use of corrupted email attachments that use text files with compromised macros to install threats on the victim's computer. The Cry9 Ransomware is designed to infect computers running the Windows operating system and seems designed to target Portuguese speakers due to the geographical location of most infections and the language used in the Cry9 Ransomware's ransom note.
The Cry9 Ransomware – Another Ransomware Attacking Brazilian Users
The Cry9 Ransomware uses an attack method that is typical of most encryption Trojans. The Cry9 Ransomware was first observed in April 2017, compromising various computers located in Brazil. The Cry9 Ransomware uses a combination of the AES 256 and RSA encryptions to take over a computer and encrypt its victims' files. The Cry9 Ransomware will scan the victim's computer in search for files to encrypt in its attack. The Cry9 Ransomware will encrypt the following file types in its attack:
.3GP, .7Z, .APK, .AVI, .BMP, .CDR, .CER, .CHM, .CONF, .CSS, .CSV, .DAT, .DB, .DBF, .DJVU, .DBX, .DOCM, ,DOC, .EPUB, .DOCX .FB2, .FLV, .GIF, .GZ, .ISO .IBOOKS,.JPEG, .JPG, .KEY, .MDB .MD2, .MDF, .MHT, .MOBI .MHTM, .MKV, .MOV, .MP3, .MP4, .MPG .MPEG, .PICT, .PDF, .PPS, .PKG, .PNG, .PPT .PPTX, .PPSX, .PSD, .RAR, .RTF, .SCR, .SWF, .SAV, .TIFF, .TIF, .TBL, .TORRENT, .TXT, .VSD, .WMV, .XLS, .XLSX, .XPS, .XML, .CKP, .ZIP, .JAVA, .PY, .ASM, .C, .CPP, .CS, .JS, .PHP, .DACPAC, .RBW, .RB, .MRG, .DCX, .DB3, .SQL, .SQLITE3, .SQLITE, .SQLITEDB, .PSD, .PSP, .PDB, .DXF, .DWG, .DRW, .CASB, .CCP, .CAL, .CMX, .CR2.
Unlike many other ransomware Trojans that use similar attacks, the Cry9 Ransomware will not change the infected files' names, making it difficult to tell which files have been compromised in the Cry9 Ransomware infection exactly. The Cry9 Ransomware will avoid files in the Windows Directory or other directories that contain files essential for Windows to function properly. Because of this, the Cry9 Ransomware will allow Windows to continue functioning properly but will prevent computer users from accessing their data. The Cry9 Ransomware does this so that the Cry9 Ransomware can deliver its ransom note. The Cry9 Ransomware's ransom note is contained in a text file that is dropped on the infected computer's desktop. This file is named 'Arquivos criptografados.txt,' Portuguese for 'Encrypted files.txt' and contains the following message (originally in Portuguese):
'!!! YOUR FILES WERE ENCRYPTED !!!
Your personal identification: [RANDOM CHARACTERS]
To receive the decoder you must pay for the program.
Buy 0.5 BTC on these sites:
Xxxxs: //localbitcoins.com
Xxxxs: //www.coinbase.com
Xxxx: //xapo.com/
BITCOIN ADDRESS TO PAY:
[RANDOM CHARACTERS]
Send 0.5 btc for decoding
After paying:
1. Send a screenshot or payment photo to the address: juccy@protonmail.ch
2. If you want to remain anonymous or if you are not receiving a response, try using the bit message IM client (bitmessage.ch) and use this address to contact me:
BM-[RANDOM CHARACTERS]@bitmessage.ch. This method will work 100%.
3. In the email you must include your personal identification [RANDOM CHARACTERS].
You will then receive the decoder and instructions.'
Dealing with a Cry9 Ransomware Infection
The Cry9 Ransomware demands the payment of a ransom of 0.5 BitCoin (approximately $550 USD), a very large amount for computer users in Brazil. PC security experts advise computer users to protect their files by having backup copies of them on an external memory device. A fully up-to-date security program can be used to intercept the Cry9 Ransomware infection and remove the Cry9 Ransomware if it has been installed on a computer. However, due to the method of encryption that the Cry9 Ransomware uses, the files affected by the Cry9 Ransomware will not be recoverable without the decryption key.
