Cry128 Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Ranking: | 16,996 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 659 |
| First Seen: | May 5, 2017 |
| Last Seen: | June 27, 2023 |
| OS(es) Affected: | Windows |
The Cry128 Ransomware is a ransomware Trojan that is a variant of Crypton, a ransomware family that includes the recently released Cry9 Ransomware variant. The Cry128 Ransomware and its variants are being delivered by attaching corrupted macro-enabled files to spam email messages. These files exploit a vulnerability in Windows that allows con artists to download and execute threats onto the victim's computer. The Cry128 Ransomware seems to be targeted towards English speakers and will encrypt the victim's files to demand the payment of a ransom.
The Cry128 Ransomware Attack
Like most ransomware Trojans, the Cry128 Ransomware is designed to infiltrate a computer and take the victim's files hostage, encrypting them using a strong encryption algorithm. Among the many file types that the Cry128 Ransomware will encrypt, the following are included:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.
The Cry128 Ransomware uses a combination of AES and RSA encryption to make the victim's files inaccessible, working in the background after the victim opens the corrupted macro-enabled file. Apart from encrypting the victim's files, the Cry128 Ransomware will delete the System Restore Points and the Shadow Volume Copies, both of which can be used to recover lost data or undo unwanted changes made to a computer. The Cry128 Ransomware will encrypt the files and change their names by adding the following extensions to the end of each encrypted file:
.id__[URL_onion]._
.id__[URL_onion].63vc4
The Cry128 Ransomware will display a pop-up message containing a ransom message. This ransom note is contained in a text file named 'DECRYPT MY FILE.txt' and contains the following text:
'*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***
To decrypt your files you need to buy the special software. To recover data, follow the instructions!
You can find out the details/ask questions in the chat:
xxxxs://gebdp3k7bolalnd4.onion.to (not need Tor)
xxxxs://gebdp3k7bolalnd4.onion.cab (not need Tor)
xxxxs://gebdp3k7bolalnd4.onion.nu (not need Tor)
You ID: ***
If the resource is not available for a long time, install and use the Tor-browser:
1. Run your Internet-browser
2. Enter or copy the address https://www.torproject.org/download/download-easy.html in the address bar of your browser and press key ENTER
3. On the site will be offered to download the Tor-browser, download and install it. Run.
4. Connect with the button "Connect" (if you use the English version)
5. After connection, the usual Tor-browser window will open
6. Enter or copy the address xxxx://gebdp3k7bolalnd4.onion in the address bar of Tor-browser and press key ENTER
7. Wait for the site to load
If you have any problems installing or using, please visit the video tutorial h[tt]ps://www.youtube.com/watch?v=gOgh3ABju6Q'
Dealing with the Cry128 Ransomware
The Cry128 Ransomware demands 0.15 BitCoin (approximately $250 USD at the current exchange rate) to decrypt the victim's files. Computer users should refrain from paying this ransom. There is no guarantee that the con artists will deliver on their promise and, even if they do, paying these ransoms will allow them to create and develop threats like the Cry128 Ransomware, reinfect the victim's computer or claim more victims eventually. The best protection against threats like the Cry128 Ransomware is to have backup copies of all files on an external memory device. This allows victims of the Cry128 Ransomware infection to quickly recover their files from the backup, undermining any power the con artists have over the victim completely.
