Crying Ransomware

The Crying Ransomware is a ransomware Trojan that is one of the countless active variants of HiddenTear currently, an open source ransomware platform that first appeared in 2015. There are numerous variants of HiddenTear, which was originally released for 'educational purposes.' Like many other HiddenTear variants active currently, the Crying Ransomware may be delivered to victims through the use of email attachments by using spam email campaigns. There are various ways in which an email attachment can be used to deliver a threat like the Crying Ransomware, including the use of double extensions to hide the nature of the file, hiding the threat in a RAR archive, or using DOCX or PDF files that download and install the Crying Ransomware by using corrupted macro scripts. Once the Crying Ransomware is installed on the victim's computer, it will carry out a typical ransomware Trojan attack, encrypting its victims' files and then demanding the payment of a large ransom to get the decryption key required to recover the files.

The Crying Ransomware may not be Perceived Until It is Too Late

Once the Crying Ransomware is installed on the victim's computer, it will work in the background to cipher the victim's files by using a strong encryption algorithm. The Crying Ransomware will connect to its Command and Control server to receive configuration instructions and relay information about the encryption process and the infected computer. After encrypting its victims' files, the Crying Ransomware will drop a ransom note in the form of a text file onto the infected computer's desktop. The Crying Ransomware's ransom note is contained in a file named 'READ_IT.txt.' In its attack, the Crying Ransomware will encrypt a wide variety of file types, including the following:

txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb.sln.php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp.

The Crying Ransomware's ransom note is displayed in a window named 'Crying' and includes the following message:

'Bitcoin Address: [RANDOM CHARACTERs]
Please click the button to see what happened to your computer.
Closing this windows will result in files being deleted.'

Clicking on the button indicated in the Crying Ransomware message will display a longer message on the infected computer:

'Your Files have been encrypted.
Please read the program to learn how to decrypt your files.
if the program won't open so you can read it. You can start the program again and again until it opens the form with the information displayed.
Q: What has happend to my computer?
A: Your Computer is Infected by "Cry" Ransomware.
---
Q: Can i remove this?
A: Yes, Just send 0.05 Bitcoins to the address on the main page.
---
Q: AnyWay i can get my files back?
A: Yes, Although it's highly unlikely to happen.
---
Q: Why has this happend to me?
A: You downloaded something leaked/Cracked/Downloaded this itself.
---
Q: Is this some type of joke?
A: Check your files. They all have have the extension .crying'

Dealing with a Crying Ransomware Infection

The Crying Ransomware demands a ransom of 0.05 BitCoin (approximately $150 USD) in exchange for the decryption key. However, computer users are advised to refrain from paying this amount. Research shows that the con artists may not keep their word and deliver the decryption key. Furthermore, paying this ransom allows the con artists to continue developing threats like the Crying Ransomware. Instead of paying, the best measure against these attacks is to have file backups. Being able to recover your files from a backup copy is the best protection against ransomware Trojans since it undermines the attack strategy the Crying Ransomware's creators use to try to threaten computer users into paying the ransom amount completely.