Cry9 Ransomware Description
The Cry9 Ransomware is a ransomware Trojan that seems to be a variant of a known ransomware Trojan named Crypton. This new version of this ransomware Trojan was released as the anti-virus programs started to recognize its previous iteration. The Cry9 Ransomware adds on to this previously known threat by adding obfuscation measures to prevent detection. Malware researchers suspect that the Cry9 Ransomware is being distributed through the use of corrupted email attachments that use text files with compromised macros to install threats on the victim's computer. The Cry9 Ransomware is designed to infect computers running the Windows operating system and seems designed to target Portuguese speakers due to the geographical location of most infections and the language used in the Cry9 Ransomware's ransom note.
The Cry9 Ransomware – Another Ransomware Attacking Brazilian Users
The Cry9 Ransomware uses an attack method that is typical of most encryption Trojans. The Cry9 Ransomware was first observed in April 2017, compromising various computers located in Brazil. The Cry9 Ransomware uses a combination of the AES 256 and RSA encryptions to take over a computer and encrypt its victims' files. The Cry9 Ransomware will scan the victim's computer in search for files to encrypt in its attack. The Cry9 Ransomware will encrypt the following file types in its attack:
.3GP, .7Z, .APK, .AVI, .BMP, .CDR, .CER, .CHM, .CONF, .CSS, .CSV, .DAT, .DB, .DBF, .DJVU, .DBX, .DOCM, ,DOC, .EPUB, .DOCX .FB2, .FLV, .GIF, .GZ, .ISO .IBOOKS,.JPEG, .JPG, .KEY, .MDB .MD2, .MDF, .MHT, .MOBI .MHTM, .MKV, .MOV, .MP3, .MP4, .MPG .MPEG, .PICT, .PDF, .PPS, .PKG, .PNG, .PPT .PPTX, .PPSX, .PSD, .RAR, .RTF, .SCR, .SWF, .SAV, .TIFF, .TIF, .TBL, .TORRENT, .TXT, .VSD, .WMV, .XLS, .XLSX, .XPS, .XML, .CKP, .ZIP, .JAVA, .PY, .ASM, .C, .CPP, .CS, .JS, .PHP, .DACPAC, .RBW, .RB, .MRG, .DCX, .DB3, .SQL, .SQLITE3, .SQLITE, .SQLITEDB, .PSD, .PSP, .PDB, .DXF, .DWG, .DRW, .CASB, .CCP, .CAL, .CMX, .CR2.
Unlike many other ransomware Trojans that use similar attacks, the Cry9 Ransomware will not change the infected files' names, making it difficult to tell which files have been compromised in the Cry9 Ransomware infection exactly. The Cry9 Ransomware will avoid files in the Windows Directory or other directories that contain files essential for Windows to function properly. Because of this, the Cry9 Ransomware will allow Windows to continue functioning properly but will prevent computer users from accessing their data. The Cry9 Ransomware does this so that the Cry9 Ransomware can deliver its ransom note. The Cry9 Ransomware's ransom note is contained in a text file that is dropped on the infected computer's desktop. This file is named 'Arquivos criptografados.txt,' Portuguese for 'Encrypted files.txt' and contains the following message (originally in Portuguese):
'!!! YOUR FILES WERE ENCRYPTED !!!
Your personal identification: [RANDOM CHARACTERS]
To receive the decoder you must pay for the program.
Buy 0.5 BTC on these sites:
BITCOIN ADDRESS TO PAY:
Send 0.5 btc for decoding
1. Send a screenshot or payment photo to the address: email@example.com
2. If you want to remain anonymous or if you are not receiving a response, try using the bit message IM client (bitmessage.ch) and use this address to contact me:
BM-[RANDOM CHARACTERS]@bitmessage.ch. This method will work 100%.
3. In the email you must include your personal identification [RANDOM CHARACTERS].
You will then receive the decoder and instructions.'
Dealing with a Cry9 Ransomware Infection
The Cry9 Ransomware demands the payment of a ransom of 0.5 BitCoin (approximately $550 USD), a very large amount for computer users in Brazil. PC security experts advise computer users to protect their files by having backup copies of them on an external memory device. A fully up-to-date security program can be used to intercept the Cry9 Ransomware infection and remove the Cry9 Ransomware if it has been installed on a computer. However, due to the method of encryption that the Cry9 Ransomware uses, the files affected by the Cry9 Ransomware will not be recoverable without the decryption key.
Do You Suspect Your PC May Be Infected with Cry9 Ransomware & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Cry9 Ransomware as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
File System Details
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your PC. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.