Crysis Ransomware

Crysis Ransomware Description

Crysis Ransomware is a malware threat that locks up files on infected computers and then demands a ransom in exchange for a decryption key. Files encrypted by Crysis become inaccessible for the user and the data stored in them can hardly be recovered as the malware uses a sophisticated method for encrypting the files on the victim's computer. Side effects of this infection are also an overall sluggish performance of the computer, as well as certain tools and applications not working properly. Crysis ransomware affects only computers running the Windows operating system, and it appeared for the first time in March 2016. Since then, cybersecurity researchers have identified many different variants and versions of this dangerous ransomware, and since some of them strongly resemble other significant threats like Dharma and Arena ransomware, the experts have decided to refer to all of these threats as the Crysis/Dharma Ransomware family. Just like other malware from the family, Crysis appends a specific extension to the encrypted files, however, extensions vary depending on which particular variant of the malware has infected the computer.

Due to its extended malicious capabilities, Crysis should be removed as soon as possible after it has been discovered, and PC security experts advise never to contact the cybercriminals and never to pay the required ransom as there is no guarantee that they will actually send you the promised decryption key. The distribution channels of Crysis ransomware have evolved as well through the years. While, initially, spam emails containing malicious attachments and corrupted links have been the main means of distribution for this dangerous ransomware, currently the attackers do not rely on social engineering techniques to conduct the attacks.

Ways of Distribution

Since September 2016, Crysis is mainly distributed through weakly protected Remote Desktop Protocols (RDPs), whereby the first attacks of that kind have been registered in Australia and New Zealand. In order to hack a computer through this channel, attackers first scan the Internet for unprotected RDPs and then connect to them on port 3389 by cracking the necessary Windows password for administrator access to the system. Then, they install the malware manually on the target system, whereby they can also run the malicious script on all other peripheral devices connected to the hacked computer, as well as on other computers connected to the same network.

Ransomware from the Crysis family initially targeted mostly individual PC users, however, since the beginning of February cybersecurity researchers have identified a new trend in the development of the malware family. Apart from the staggering growth in the number of attacks and the worldwide expansion of the ransomware, the attackers have also changed their strategy and are now mainly targeting large corporations and major institutions. For that purpose, while scanning for open RDP ports, the hackers now try to find out whether the computers connected to a particular network are corporate computers, in which case they are more likely to continue with the attack. Logically, the reason for that shift is the fact that companies are more likely to pay a high amount of ransom in order to get their data back.

Technical Data

As already mentioned, the malware is installed manually on the target machine. However, before the actual installation, and before the start of the encryption process, the ransomware owners drop some keylogging programs through which they can monitor the victim's activities, and collect general system data as well as personal data related to the particular user. Exactly through such credentials harvesting and monitoring activities, the hackers can extend the scope of the attack and compromise other devices or resources connected to the same network. At the same time, the collected data also allows the hackers to customize the amount of the required ransom, depending on whether their victim is an individual user or a company. As a consequence, this amount can reach thousands of dollars if the Crysis ransomware variant has hit a large corporate network, for example.

After installation, among the first actions performed by the ransomware is to create its own startup keys in the Windows registry, as well as copies of its code in folders containing legit Windows files, like C:\Windows\System32, C:\Program Data, C:\Program Files, and C:\Users\Programs\Startup. This is done in order to ensure the malware's persistence and to allow the encryption of recently created files. Malicious files, processes, and registry keys belonging to Crysis can have random different names, so it is hard to recognize them immediately and to distinguish them from legitimate object belonging to the Windows operating system. This is one of the reasons why the removal of this ransomware typically requires a professional malware cleaning tool.

The next step in Crysis routine is to scan all files on the hard disk of the infected computer, comparing them against an inbuilt list of files suitable for encryption. Almost all popular file formats are included in that list, ensuring that the malware manages to identify and encrypt all files that can possibly contain valuable user data in any form. Furthermore, Crysis has turned into a real high-profile ransomware threat as its latest versions are capable of encrypting nearly every single file on the infected machine, including system files with no extension and executable files, and that no matter of the file location - on fixed, removable or networked drives. This is something unseen before in other ransomware cases, and it proves the fearsome malicious capabilities of the Crysis/Dharma ransomware family. As for the encryption engine employed by Crysis ransomware, as typical for the entire ransomware family, Crysis uses a mixture of RSA encryption and AES-128 encryption algorithms with the private key being stored on the hackers' server. Since its first appearance in 2016, the different ransomware threats from the Crysis family have appended different extensions to the encrypted files. In a chronological order starting from the very first version onwards, these extensions are: .crysis, .dharma, .wallet, .onion, .arena, .cobra, ,java, .arrow, .bip, .cmb, .brr, .gamma, .bkp, .monro, .boost, .adobe, .cccmn, .AUDIT, .tron. The latest version of Crysis detected in the middle of November this year adds the .Back and .Bear extensions to the locked files, while in some cases, the contact address of the attackers is also added to the name of the encrypted files, as well as a unique victim ID that is individually generated to each infected user.

After the encryption is complete, Crysis creates ransom notes in the form of text files in which the malware owners explain how they should be contacted by the victim and how the ransom should be paid. The malware typically creates two files for the ransom note - one HTML file that opens automatically and replaces the user's default desktop image, and a TXT file which is placed on the desktop, and in some cases, also in any infected folder. These ransom note files can be named Help_Decrypt_FILES.html, Help_Decrypt_FILES.txt, info.hta, Files encrypted!!.txt, while the ransom note itself states the following:

"Attention! Your computer was attacked by virus-encoder.
All your files are encrypted cryptographically strong, without the original key recover is impossible! To get the decoder and the original key, you need to to write us at the with subject "encryption" stating your id.
Write in the case, do not waste your and our time on empty threats.
Responses to letters only appropriate people are not adequate ignore.
P.S. only in case you do not receive a response from the first email address within 48 hours please use this alternative email"

Research shows that the two email addresses given in Crysis ransom note belong to domains located in the Czech Republic and India, yet it cannot be concluded from this fact that the malware also originates from these countries. A version that appeared in late 2017 instructs its victims to contact a different email address for payment instructions, namely Other known addresses used by the malware to communicate with its victims include,,,

Free decryption tools have been released for certain versions released before May 2017, while for the rest of the variants it is not uncommon that the encrypted files can only be recovered from backups. This comes from another malicious activity that Crysis is able to perform - it can be programmed to remove Shadow Volume Copies and System Restore Points, making thus the recovery of the encrypted data impossible without a professional backup recovery solution. This malware can also deploy additional Trojans and other threats on the infected computer, allowing the attackers, for example, to spy on all user activities in real time. Popular malicious payloads dropped by Crysis ransomware also include cryptocurrency miners, keyloggers, and other viruses.

Prevention and Removal Techniques

In order to avoid an infection with Crysis ransomware, it is recommended to use strong passwords for your computer's communication channels. Additionally, users are advised to install a reliable anti-malware program, to enable a firewall, and to keep their system up-to-date at any moment. A Crysis ransomware infection can also be prevented by responsible and safe behavior on the Internet, which includes avoiding suspicious websites that can contain malicious content, ignoring email attachments from unknown senders, and downloading files, programs, and software updates only from authorized sources. Maintaining regular backups of all important data is also a must because, sometimes, that is the only way files locked by such a ransomware threat can be recovered after the malware has been removed from the system.

Once a computer has been infected with Crysis, it is not recommended to try to remove it without a professional removal tool. This type of malware drops its malicious files in the core of the Windows operating system, affecting crucial legitimate Windows applications and process and making it hard for an inexperienced user to locate and delete these without interfering with the regular operations of the computer. It is of crucial importance to clean your PC completely from Crysis ransomware, since if some part of the malware remains on the system it can easily start to encrypt files again.

When the Crysis Ransomware enters a computer, it scans the affected hard drives in search for files to encrypt. In its configuration settings, the Crysis Ransomware contains a list of file extensions that it searches for. Common file types that are encrypted during a Crysis Ransomware attack include:

.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps.

The '.AUF File Extension' Ransomware is a file-encryption Trojan whose attacks may render the majority of your files inaccessible swiftly. This is because this threat is programmed to use a secure file-locking algorithm that utilizes a unique generated encryption key to lock the contents of popular file formats like documents, images, videos, archives and others. All encrypted data will have its name changed to include the '.AUF' extension so that, for example, a file called 'backup.rar' would be named 'backup.rar.AUF' after the attack.

The '.AUF File Extension' Ransomware has been identified as a slightly modified variant of the Crysis Ransomware and, unfortunately, this means that its victims will not be able to rely on a free decryptor to assist them with the recovery of their files. After the '.AUF File Extension' Ransomware carries out its attack, it drops a ransom note whose purpose is to provide the victims with contact details and instructions on what they should do if they want to be able to use their files again. The bad news is that the solution the attackers offer is rather expensive – they demand to receive a Bitcoin payment in exchange for their decryption software. We would not suggest sending money to anonymous cybercriminals who have just infected your computer with malware, because it would be very easy for them to take the money without providing you with anything in return. The email used for this particular member of the Crysis Ransomware family is

As a victim of the '.AUF File Extension' Ransomware, you should not even consider contacting the attackers, because it is unlikely that anything good will come out of this. Instead, you should proceed to run a trustworthy anti-malware tool immediately, and use its scanner to eradicate all files linked to the '.AUF File Extension' Ransomware. When this task is complete, you should proceed to the last step of the recovery process, which requires you to restore your files from a backup or use alternative file recovery utilities.

Do You Suspect Your Computer May Be Infected with Crysis Ransomware & Other Threats? Scan Your Computer with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide users with in-depth system security analysis, detection and removal of a wide range of threats like Crysis Ransomware as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover*
Free Remover allows you, subject to a 48-hour waiting period, one remediation and removal for results found. Read our EULA, Privacy Policy & Special Discount Terms. See more Free SpyHunter Remover details.

Technical Information

File System Details

Crysis Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 %WINDIR%\System32\3A13.tmp.exe\3A13.tmp.exe 641,536 cced409e95d6c2e44823381df3880d96 136
2 %WINDIR%\System32\67E7.tmp.exe\67E7.tmp.exe 614,400 846b068b46c7e07fd375c5337b50476b 91
3 %WINDIR%\System32\DA69.tmp.exe\DA69.tmp.exe 816,128 563dcf99dcde57acd27af5d8c3106d63 91
4 %WINDIR%\System32\731.tmp.exe\731.tmp.exe 916,480 7c7d821e85b6f5d237612a0ad63c5244 85
5 %WINDIR%\System32\E62B.tmp.exe\E62B.tmp.exe 624,128 e853c4cbf08ee22314aa3774df173253 60
6 %SYSTEMDRIVE%\Users\HAMIM\AppData\Roaming\20e12340.exe\20e12340.exe 288,256 9a1fadd640269f26c4f90e00413c0698 56
7 %WINDIR%\System32\B7C9.tmp.exe\B7C9.tmp.exe 901,632 9390d7fcb41867482a31c355c311ba03 49
8 %WINDIR%\System32\3CD.tmp.exe\3CD.tmp.exe 615,424 299ed986a6988eb277a59c377d72f538 44
9 %SYSTEMDRIVE%\Users\Arnicsc\AppData\Roaming\992C.tmp.exe\992C.tmp.exe 272,384 aed9c97d4e7c2271d16029b4049d179a 44
10 %SYSTEMDRIVE%\Users\Usuário\AppData\Roaming\d2c14b63.exe\d2c14b63.exe 502,272 062943859cf1e395aafde8be2bfbf750 28
11 %SYSTEMDRIVE%\users\nologyadmin\appdata\roaming\microsoft\windows\start menu\programs\startup\svhost.exe 94,720 801175d89e13fdc031597dff0d129c63 27
12 %SYSTEMDRIVE%\Users\Administrator.APPSERVER\AppData\Roaming\0402.exe\0402.exe 699,904 300e91cb7b02efe7bcaa66463779bd0f 25
13 %WINDIR%\System32\0303.exe\0303.exe 594,432 d3fb9d3162b8a5526658a82737700194 16
14 %SYSTEMDRIVE%\Users\Michell\AppData\Roaming\bea04ab8.exe\bea04ab8.exe 220,672 c693cee97c59515423021f0833fb7ae2 15
15 C:\Users\ANTONINO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\113_1.exe 358,912 d514d2c83259736eb02e9c21c70cf7ce 12
16 %SYSTEMDRIVE%\users\arcgis\appdata\roaming\1data.exe 94,720 de280727b467a3c874321e0d9faf9084 10
17 C:\Users\Convidado\AppData\Roaming\1Ocean.exe 462,848 6493d3c8185bc890925ab2533072b560 10
18 c:\users\julius\appdata\local\temp\y5sxvjna.part 528,384 681949435d7ea0b71d91078943411a39 9
19 %SYSTEMDRIVE%\users\user1\appdata\roaming\microsoft\windows\start menu\programs\startup\exlorer64.exe 94,720 22cbb102cb581c8a5eab927696e7c2f9 8
20 %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup\expiorer.exe 94,720 f27dc437b99c49104a40c36c92e7605c 7
21 190a1da8c89f7d4f296ff387f4a5fc40.exe 326,687 190a1da8c89f7d4f296ff387f4a5fc40 7
22 %ALLUSERSPROFILE%\system.exe\system.exe 1,294,336 e78a07edb2dff90e3e1269d0aebfbe6f 6
23 %WINDIR%\system32\chrome64b.exe 94,720 911de1532d32bf09732f12263487f2f1 6
24 %SYSTEMDRIVE%\users\invitado\appdata\roaming\v51es5bd.exe 1,004,544 d710195d502051950c9d69c9ec037473 5
25 C:\Users\oracle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.exe 168,448 be1f7684877da90955e64d845eab7cda 3
26 C:\Users\ander\AppData\Roaming\7b50d997.exe 338,944 fea385d6b88e6cf0e5a3fa4a939bba43 3
27 %SYSTEMDRIVE%\users\ry\appdata\roaming\cc08.tmp.exe 457,216 2cd0b38ee73521578c487b744606c63c 3
28 %SYSTEMDRIVE%\users\tomas\desktop\ae56c68519963679e6d0a248598f828bf3ba788895c50fab39dffabfadcfb201.exe 259,584 05e54bb1eb258389f3c3625f9c069d4b 2
29 9f3ea1850f9d879de8a36dc778dfffba 1,093,632 9f3ea1850f9d879de8a36dc778dfffba 1
30 c:\users\julius\appdata\local\temp\dfx+ychs.part 8,966,229 cf00c5806fd9be5886fe65735244bf1e 0
More files

Registry Details

Crysis Ransomware creates the following registry entry or registry entries:
Regexp file mask
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\[RANDOM CHARACTERS]_201[NUMBERS]-[NUMBERS]-[NUMBERS]_[NUMBERS]-[NUMBERS].exe
%appdata%\microsoft\windows\start menu\programs\startup\[RANDOM CHARACTERS]payload.exe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Skanda[RANDOM CHARACTERS].exe
%APPDATA%\microsoft\windows\start menu\programs\startup\winhost.exe

Related Posts

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.