Cry36 Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 1 |
First Seen: | June 8, 2017 |
Last Seen: | August 31, 2019 |
OS(es) Affected: | Windows |
The Cry36 Ransomware is an encryption ransomware Trojan. Like other, similar ransomware Trojans, the Cry36 Ransomware is designed to take the victims' files hostage, enciphering them with a strong encryption algorithm and then demanding the payment of a ransom in exchange for the decryption key or software required to decode the affected files. The Cry36 Ransomware is not a new threat and has been observed various times before in modified or precursor versions. There are many variants of the Cry36 Ransomware in a family known as the Crypton Ransomware, which includes variants with names such as the Cry9 Ransomware and the Cry128 Ransomware.
Table of Contents
How the Cry36 Ransomware Infection may be Delivered to Its Victims
Victims of the Cry36 Ransomware will infect their computers with the Cry36 Ransomware after they open a spam email message that will be disguised to look like a legitimate email from Amazon, FedEx, PayPal, or other legitimate online portals or companies. These messages can be highly effective, disguising their email accounts and using logos and graphics that make them indistinguishable from any other email message sent by one of these companies. These emails may include file attachments that run corrupted scripts or macros to infect the victim's computer with the Cry36 Ransomware, often DOCX files with enabled macros that download and install the Cry36 Ransomware on the victim's computer.
The Cry36 Ransomware may Ask for a Ransom Amount that can Make You Cry
Once the Cry36 Ransomware is installed on the victim's computer, it will scan all local drives, the drives shared on the network, and external memory devices connected to the infected computer. The Cry36 Ransomware searches for files that are user generated, targeting a wide variety of file types in its attack, corresponding to common media files and files generated by numerous popular programs (such as Microsoft Office or Adobe Acrobat). The Cry36 Ransomware will use a combination of the AES and RSA encryptions to make these files inaccessible to the victim. After encrypting the victim's files, the Cry36 Ransomware will deliver its ransom note in the form of a text file named '### DECRYPT MY FILES ###.txt,' which contains the following message:
'***ALL YOUR WORK AND PERSONAL RLES HAVE SEEN ENCRYPTED***
To decrypt your files you need to buy the special software. To recover data, follow the instructions! You can find out the details/ask questions in the chat:
https://[EDITED].onion.lo (not need Tor)
https://[EDITED].onion.cab (not need Tor)
https://[EDITED].onion.nu (not need Tor)
You ID: [8 RANDOM CHRACTERS]
[INSTRUCTIONS HOW TO INSTALL THE TOR BROWSER]
// If you have any problems Installing or using, please visit the video tutorial [LINK TO YOUTUBE]'
The victim is alerted about the attack and is instructed to pay a large ransom by contacting the people associated with the Cry36 Ransomware attack through email. The following emails (among numerous others) have been associated with the Cry36 Ransomware Trojan and its associated spam email campaign:
mk.smoke@aol.com
liukang@mortalkombat.su
mk.rain@aol.com
don-corleone@mortalkombat.su
Each affected file will be renamed, with the following string added to the end of the file's name as an extension:
..id-[VICTIM ID]..5 random characters
Dealing with the Cry36 Ransomware Infectio
Unfortunately, as part of its attack, the Cry36 Ransomware also will eliminate the Shadow Volume Copies and the System Restore points, which could be used by victims of the attack to recover. Taking preventive measures, you can limit the extent of the damage that may be caused by threats like the Cry36 Ransomware. The best prevention against these ransomware infections is the use of a reliable backup system. Having backup copies of all files is the best protection against ransomware Trojans like the Cry36 Ransomware because victims can ignore the ransom demands and simply restore their files from the backup copy. Apart from file backups, it also is essential that computer users protect their machines with the help of a security program that is fully up-to-date.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.