EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
|Threat Level:||100 % (High)|
|First Seen:||February 19, 2016|
|Last Seen:||March 7, 2023|
Crysis Ransomware is a malware threat that locks up files on infected computers and then demands a ransom in exchange for a decryption key. Files encrypted by Crysis become inaccessible for the user and the data stored in them can hardly be recovered as the malware uses a sophisticated method for encrypting the files on the victim's computer. Side effects of this infection are also an overall sluggish performance of the computer, as well as certain tools and applications not working properly. Crysis ransomware affects only computers running the Windows operating system, and it appeared for the first time in March 2016. Since then, cybersecurity researchers have identified many different variants and versions of this dangerous ransomware, and since some of them strongly resemble other significant threats like Dharma and Arena ransomware, the experts have decided to refer to all of these threats as the Crysis/Dharma Ransomware family. Just like other malware from the family, Crysis appends a specific extension to the encrypted files, however, extensions vary depending on which particular variant of the malware has infected the computer.
Due to its extended malicious capabilities, Crysis should be removed as soon as possible after it has been discovered, and PC security experts advise never to contact the cybercriminals and never to pay the required ransom as there is no guarantee that they will actually send you the promised decryption key. The distribution channels of Crysis ransomware have evolved as well through the years. While, initially, spam emails containing malicious attachments and corrupted links have been the main means of distribution for this dangerous ransomware, currently the attackers do not rely on social engineering techniques to conduct the attacks.
Ways of Distribution
Since September 2016, Crysis is mainly distributed through weakly protected Remote Desktop Protocols (RDPs), whereby the first attacks of that kind have been registered in Australia and New Zealand. In order to hack a computer through this channel, attackers first scan the Internet for unprotected RDPs and then connect to them on port 3389 by cracking the necessary Windows password for administrator access to the system. Then, they install the malware manually on the target system, whereby they can also run the malicious script on all other peripheral devices connected to the hacked computer, as well as on other computers connected to the same network.
Ransomware from the Crysis family initially targeted mostly individual PC users, however, since the beginning of February cybersecurity researchers have identified a new trend in the development of the malware family. Apart from the staggering growth in the number of attacks and the worldwide expansion of the ransomware, the attackers have also changed their strategy and are now mainly targeting large corporations and major institutions. For that purpose, while scanning for open RDP ports, the hackers now try to find out whether the computers connected to a particular network are corporate computers, in which case they are more likely to continue with the attack. Logically, the reason for that shift is the fact that companies are more likely to pay a high amount of ransom in order to get their data back.
As already mentioned, the malware is installed manually on the target machine. However, before the actual installation, and before the start of the encryption process, the ransomware owners drop some keylogging programs through which they can monitor the victim's activities, and collect general system data as well as personal data related to the particular user. Exactly through such credentials harvesting and monitoring activities, the hackers can extend the scope of the attack and compromise other devices or resources connected to the same network. At the same time, the collected data also allows the hackers to customize the amount of the required ransom, depending on whether their victim is an individual user or a company. As a consequence, this amount can reach thousands of dollars if the Crysis ransomware variant has hit a large corporate network, for example.
After installation, among the first actions performed by the ransomware is to create its own startup keys in the Windows registry, as well as copies of its code in folders containing legit Windows files, like C:\Windows\System32, C:\Program Data, C:\Program Files, and C:\Users\Programs\Startup. This is done in order to ensure the malware's persistence and to allow the encryption of recently created files. Malicious files, processes, and registry keys belonging to Crysis can have random different names, so it is hard to recognize them immediately and to distinguish them from legitimate object belonging to the Windows operating system. This is one of the reasons why the removal of this ransomware typically requires a professional malware cleaning tool.
The next step in Crysis routine is to scan all files on the hard disk of the infected computer, comparing them against an inbuilt list of files suitable for encryption. Almost all popular file formats are included in that list, ensuring that the malware manages to identify and encrypt all files that can possibly contain valuable user data in any form. Furthermore, Crysis has turned into a real high-profile ransomware threat as its latest versions are capable of encrypting nearly every single file on the infected machine, including system files with no extension and executable files, and that no matter of the file location - on fixed, removable or networked drives. This is something unseen before in other ransomware cases, and it proves the fearsome malicious capabilities of the Crysis/Dharma ransomware family. As for the encryption engine employed by Crysis ransomware, as typical for the entire ransomware family, Crysis uses a mixture of RSA encryption and AES-128 encryption algorithms with the private key being stored on the hackers' server. Since its first appearance in 2016, the different ransomware threats from the Crysis family have appended different extensions to the encrypted files. In a chronological order starting from the very first version onwards, these extensions are: .crysis, .dharma, .wallet, .onion, .arena, .cobra, ,java, .arrow, .bip, .cmb, .brr, .gamma, .bkp, .monro, .boost, .adobe, .cccmn, .AUDIT, .tron. The latest version of Crysis detected in the middle of November this year adds the .Back and .Bear extensions to the locked files, while in some cases, the contact address of the attackers is also added to the name of the encrypted files, as well as a unique victim ID that is individually generated to each infected user.
After the encryption is complete, Crysis creates ransom notes in the form of text files in which the malware owners explain how they should be contacted by the victim and how the ransom should be paid. The malware typically creates two files for the ransom note - one HTML file that opens automatically and replaces the user's default desktop image, and a TXT file which is placed on the desktop, and in some cases, also in any infected folder. These ransom note files can be named Help_Decrypt_FILES.html, Help_Decrypt_FILES.txt, info.hta, Files encrypted!!.txt, while the ransom note itself states the following:
"Attention! Your computer was attacked by virus-encoder.
All your files are encrypted cryptographically strong, without the original key recover is impossible! To get the decoder and the original key, you need to to write us at the email:firstname.lastname@example.org with subject "encryption" stating your id.
Write in the case, do not waste your and our time on empty threats.
Responses to letters only appropriate people are not adequate ignore.
P.S. only in case you do not receive a response from the first email address within 48 hours please use this alternative email email@example.com."
Research shows that the two email addresses given in Crysis ransom note belong to domains located in the Czech Republic and India, yet it cannot be concluded from this fact that the malware also originates from these countries. A version that appeared in late 2017 instructs its victims to contact a different email address for payment instructions, namely firstname.lastname@example.org. Other known addresses used by the malware to communicate with its victims include Decryptallfiles@india.com, Tree_of_life@india.com, email@example.com, Guardware@india.com.
Free decryption tools have been released for certain versions released before May 2017, while for the rest of the variants it is not uncommon that the encrypted files can only be recovered from backups. This comes from another malicious activity that Crysis is able to perform - it can be programmed to remove Shadow Volume Copies and System Restore Points, making thus the recovery of the encrypted data impossible without a professional backup recovery solution. This malware can also deploy additional Trojans and other threats on the infected computer, allowing the attackers, for example, to spy on all user activities in real time. Popular malicious payloads dropped by Crysis ransomware also include cryptocurrency miners, keyloggers, and other viruses.
Prevention and Removal Techniques
In order to avoid an infection with Crysis ransomware, it is recommended to use strong passwords for your computer's communication channels. Additionally, users are advised to install a reliable anti-malware program, to enable a firewall, and to keep their system up-to-date at any moment. A Crysis ransomware infection can also be prevented by responsible and safe behavior on the Internet, which includes avoiding suspicious websites that can contain malicious content, ignoring email attachments from unknown senders, and downloading files, programs, and software updates only from authorized sources. Maintaining regular backups of all important data is also a must because, sometimes, that is the only way files locked by such a ransomware threat can be recovered after the malware has been removed from the system.
Once a computer has been infected with Crysis, it is not recommended to try to remove it without a professional removal tool. This type of malware drops its malicious files in the core of the Windows operating system, affecting crucial legitimate Windows applications and process and making it hard for an inexperienced user to locate and delete these without interfering with the regular operations of the computer. It is of crucial importance to clean your PC completely from Crysis ransomware, since if some part of the malware remains on the system it can easily start to encrypt files again.
When the Crysis Ransomware enters a computer, it scans the affected hard drives in search for files to encrypt. In its configuration settings, the Crysis Ransomware contains a list of file extensions that it searches for. Common file types that are encrypted during a Crysis Ransomware attack include:
.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps.
The '.AUF File Extension' Ransomware is a file-encryption Trojan whose attacks may render the majority of your files inaccessible swiftly. This is because this threat is programmed to use a secure file-locking algorithm that utilizes a unique generated encryption key to lock the contents of popular file formats like documents, images, videos, archives and others. All encrypted data will have its name changed to include the '.AUF' extension so that, for example, a file called 'backup.rar' would be named 'backup.rar.AUF' after the attack.
The '.AUF File Extension' Ransomware has been identified as a slightly modified variant of the Crysis Ransomware and, unfortunately, this means that its victims will not be able to rely on a free decryptor to assist them with the recovery of their files. After the '.AUF File Extension' Ransomware carries out its attack, it drops a ransom note whose purpose is to provide the victims with contact details and instructions on what they should do if they want to be able to use their files again. The bad news is that the solution the attackers offer is rather expensive – they demand to receive a Bitcoin payment in exchange for their decryption software. We would not suggest sending money to anonymous cybercriminals who have just infected your computer with malware, because it would be very easy for them to take the money without providing you with anything in return. The email used for this particular member of the Crysis Ransomware family is Decisivekey@tutanota.com.
As a victim of the '.AUF File Extension' Ransomware, you should not even consider contacting the attackers, because it is unlikely that anything good will come out of this. Instead, you should proceed to run a trustworthy anti-malware tool immediately, and use its scanner to eradicate all files linked to the '.AUF File Extension' Ransomware. When this task is complete, you should proceed to the last step of the recovery process, which requires you to restore your files from a backup or use alternative file recovery utilities.
SpyHunter Detects & Remove Crysis Ransomware
File System Details
Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.