Crypyt Ransomware
Cybercriminals have released a new ransomware threat named Crypyt Ransomware. Although analysis has revealed that Crypyt is a variant from the VoidCrypt malware family, it still can cause severe damage to the computers it manages to infect. The threat is equipped with an uncrackable encryption process that can lock numerous file types. Victims of Crypyt will no longer be able to access or use the encrypted files. The attackers will then offer to provide the affected users with the necessary decryption key and software tool, but only after they have been paid a hefty ransom. Other ransomware threats include WORM (a Dharma variant), Rugi (a STOP/Djvu variant) and the Extortionist Ransomware.
During the encryption, each targeted file also will have its name changed drastically. The threat follows the typical VoidCrypt naming convention and appends to the names of the locked files an email address, an ID string assigned to the specific compromised system, and finally, a new file extension. The email address and extension used by this particular variant are '3ncrypter.m4n@gmail.com' and '.crypyt.' The ransom note with instructions for the victims is then delivered to the system as a text file named 'Read-this.txt.'
Ransom Note Details
According to the ransom-demanding message, all victims should locate a file named 'prvkey.txt.key' on the device immediately. Its default location is in the C:\ProgramData\ folder. Apparently, this file contains crucial data (key) and without it, even the attackers will not be able to restore any of the locked files. The file should be sent to hackers via the two email addresses mentioned in the ransom note - '3ncrypter.m4n@gmail.com' and '3ncryptionfile@gmail.com.'
Alongside this specific file, Crypyt's victims also can send a couple of their locked files that will supposedly be unlocked for free. However, the chosen files must not contain any valuable information and should be less than 1MB in size. Finally, the note states that the ransom payment must be transferred using the Bitcoin cryptocurrency, a popular demand among ransomware operators.
The full text of Crypyt's note is:
'All Your Files Has Been Encrypted
You Have to Pay to Get Your Files Back1-Go to C:\ProgramData\ or in Your other Drives and send us prvkey.txt.key file
2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data
3-Payment should be with Bitcoin
4-Changing Windows without saving prvkey.txt.key file will cause permanete Data lossOur Email:3ncrypter.m4n@gmail.com
in Case of no Answer:3ncryptionfile@gmail.com'
