Crysis Ransomware

Crysis Ransomware Description

In March of 2016, PC security analysts started observing the Crysis Ransomware infections. This threat, like most encryption ransomware Trojans, encrypts the victim's files and demands the payment of a ransom to get the decryption key. The Crysis Ransomware can be identified because it changes the encrypted files' extensions to '.the Crysis.' Tthe Crysis Ransomware poses a significant threat to computer users and should be removed immediately.

How the Attack of the Crysis Ransomware Functions

The Crysis Ransomware encrypts files using an RSA encryption algorithm and the AES-128 encryption. After encrypting the victim's files, the Crysis Ransomware demands the payment of a ransom to provide the decryption key. When a file has been encrypted by the Crysis Ransomware, it becomes inaccessible. The Crysis Ransomware drops text files containing information on how to pay the ransom. The most common way in which the Crysis Ransomware is distributed is through corrupted spam email attachments and embedded links. The presence of the Crysis Ransomware and similar threats have been observed on file sharing networks.

When the Crysis Ransomware enters a computer, it scans the affected hard drives in search for files to encrypt. In its configuration settings, the Crysis Ransomware contains a list of file extensions that it searches for. Common file types that are encrypted during a Crysis Ransomware attack include:

.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps.

The Crysis Ransomware drops text files in directories where it has encrypted the victim's files. The following is the content of these text files:

Attention! Your computer was attacked by virus-encoder.
All your files are encrypted cryptographically strong, without the original key recover is impossible! To get the decoder and the original key, you need to to write us at the email:dalailama2015@protonmail.ch with subject “encryption” stating your id.
Write in the case, do not waste your and our time on empty threats.
Responses to letters only appropriate people are not adequate ignore.
P.S. only in case you do not receive a response from the first email address within 48 hours please use this alternative email goldman0@india.com.

This message is also displayed on the victim's desktop since the Crysis Ransomware replaces the victim's desktop image with its ransom note.

Dealing with the Crysis Ransomware

The two email addresses contained in the Crysis Ransomware ransom note belong to domains in the Czech Republic and India. However, it is currently unknown where the Crysis Ransomware infection originates. PC security researchers strongly advise computer users to avoid paying the Crysis Ransomware ransom, since there is no guarantee that the people responsible for the Crysis Ransomware will provide the decryption key. More importantly, paying the ransom enables the con artists responsible for the Crysis Ransomware to continue creating and distributing these threats. Instead, it is important to ensure that you have a backup of your files on an external drive or location. This way, after a Crysis Ransomware infection (or an infection with a similar threat), the files can be recovered from the backup after deleting the Crysis Ransomware with the help of a reliable anti-malware program that is fully up-to-date.

Infected with Crysis Ransomware? Scan Your PC

Download SpyHunter's Spyware Scanner
to Detect Crysis Ransomware
* SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?


Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

Infection Statistics


Our MalwareTracker shows malware activity across the world. Explore real-time data of Crysis Ransomware outbreaks and other threats from global to local level.

File System Details

Crysis Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 %SystemDrive%\Users\station2\AppData\Roaming\2.exe 90,112 cfbe1db871098e97321245e06a845152 231
2 %WINDIR%\System32\speed test.exe 407,040 bab6e87dffc39eaa392c1aef2282f8ca 190
3 %WINDIR%\system32\injury.exe 90,112 2c1abc0569d4ee4aac1cac71df89c0bf 168
4 %APPDATA%ready.exe 355,840 54412b02d5846b4943051e7c9f3d3d61 146
5 %SystemDrive%\Users\dilna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Skanda 28.exe 222,142 573c6af1a654d3df1653e690437df226 143
6 %WINDIR%\System32\subaru.exe 90,112 8fb89116c9d024603572095a4dbf219e 141
7 %WINDIR%\System32\enterprise@aol.com.exe 90,112 4be48be7557f7f033ad94e41eff108e4 126
8 %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\payload_102DRK.exe 90,112 6ae66793073cab9e0dc900d9592bd940 109
9 %WINDIR%\System32\cry.exe 227,328 2cc8e1562080519b3d0250e685254ba5 103
10 %SystemDrive%\Users\FABIO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Compil33.exe 9,967,111 1e32683d6446f826dd311b24d1951e25 100
11 %APPDATA%1crd.exe 160,257 7ab90e73a61eb86007b490a9409c1b97 98
12 %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\File.exe 90,112 80a1990e675fd8b640fc81f427ba28d6 97
13 %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\payl.exe 90,112 63b0fc40656774b571780e5e50973398 97
14 %WINDIR%\System32\supp_cry.exe 197,154 15e70e6fc9c4084bab57d85e63cefdfb 88
15 %WINDIR%\System32\12123CRANNBEST.exe 390,959 568857946ba669ecb20a6a475f7dd126 82
More files

Site Disclaimer

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 4 + 5 ?