Crysis Ransomware Description
In March of 2016, PC security analysts started observing the Crysis Ransomware infections. This threat, like most encryption ransomware Trojans, encrypts the victim's files and demands the payment of a ransom to get the decryption key. The Crysis Ransomware can be identified because it changes the encrypted files' extensions to '.the Crysis.' Tthe Crysis Ransomware poses a significant threat to computer users and should be removed immediately.
How the Attack of the Crysis Ransomware Functions
The Crysis Ransomware encrypts files using an RSA encryption algorithm and the AES-128 encryption. After encrypting the victim's files, the Crysis Ransomware demands the payment of a ransom to provide the decryption key. When a file has been encrypted by the Crysis Ransomware, it becomes inaccessible. The Crysis Ransomware drops text files containing information on how to pay the ransom. The most common way in which the Crysis Ransomware is distributed is through corrupted spam email attachments and embedded links. The presence of the Crysis Ransomware and similar threats have been observed on file sharing networks.
When the Crysis Ransomware enters a computer, it scans the affected hard drives in search for files to encrypt. In its configuration settings, the Crysis Ransomware contains a list of file extensions that it searches for. Common file types that are encrypted during a Crysis Ransomware attack include:
.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps.
The Crysis Ransomware drops text files in directories where it has encrypted the victim's files. The following is the content of these text files:
Attention! Your computer was attacked by virus-encoder.
All your files are encrypted cryptographically strong, without the original key recover is impossible! To get the decoder and the original key, you need to to write us at the email:email@example.com with subject “encryption” stating your id.
Write in the case, do not waste your and our time on empty threats.
Responses to letters only appropriate people are not adequate ignore.
P.S. only in case you do not receive a response from the first email address within 48 hours please use this alternative email firstname.lastname@example.org.
This message is also displayed on the victim's desktop since the Crysis Ransomware replaces the victim's desktop image with its ransom note.
Dealing with the Crysis Ransomware
The two email addresses contained in the Crysis Ransomware ransom note belong to domains in the Czech Republic and India. However, it is currently unknown where the Crysis Ransomware infection originates. PC security researchers strongly advise computer users to avoid paying the Crysis Ransomware ransom, since there is no guarantee that the people responsible for the Crysis Ransomware will provide the decryption key. More importantly, paying the ransom enables the con artists responsible for the Crysis Ransomware to continue creating and distributing these threats. Instead, it is important to ensure that you have a backup of your files on an external drive or location. This way, after a Crysis Ransomware infection (or an infection with a similar threat), the files can be recovered from the backup after deleting the Crysis Ransomware with the help of a reliable anti-malware program that is fully up-to-date.
Infected with Crysis Ransomware? Scan Your PCDownload SpyHunter's Spyware Scanner
to Detect Crysis Ransomware * SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.
Security Doesn't Let You Download SpyHunter or Access the Internet?
Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.
File System Details
|#||File Name||Size||MD5||Detection Count|
|5||%SystemDrive%\Users\dilna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Skanda 28.exe||222,142||573c6af1a654d3df1653e690437df226||143|