Crysis Ransomware

Crysis Ransomware Description

Type: Ransomware

Crysis Ransomware is a malware threat that locks up files on infected computers and then demands a ransom in exchange for a decryption key. Files encrypted by Crysis become inaccessible for the user and the data stored in them can hardly be recovered as the malware uses a sophisticated method for encrypting the files on the victim's computer. Side effects of this infection are also an overall sluggish performance of the computer, as well as certain tools and applications not working properly. Crysis ransomware affects only computers running the Windows operating system, and it appeared for the first time in March 2016. Since then, cybersecurity researchers have identified many different variants and versions of this dangerous ransomware, and since some of them strongly resemble other significant threats like Dharma and Arena ransomware, the experts have decided to refer to all of these threats as the Crysis/Dharma Ransomware family. Just like other malware from the family, Crysis appends a specific extension to the encrypted files, however, extensions vary depending on which particular variant of the malware has infected the computer.

Due to its extended malicious capabilities, Crysis should be removed as soon as possible after it has been discovered, and PC security experts advise never to contact the cybercriminals and never to pay the required ransom as there is no guarantee that they will actually send you the promised decryption key. The distribution channels of Crysis ransomware have evolved as well through the years. While, initially, spam emails containing malicious attachments and corrupted links have been the main means of distribution for this dangerous ransomware, currently the attackers do not rely on social engineering techniques to conduct the attacks.

Ways of Distribution

Since September 2016, Crysis is mainly distributed through weakly protected Remote Desktop Protocols (RDPs), whereby the first attacks of that kind have been registered in Australia and New Zealand. In order to hack a computer through this channel, attackers first scan the Internet for unprotected RDPs and then connect to them on port 3389 by cracking the necessary Windows password for administrator access to the system. Then, they install the malware manually on the target system, whereby they can also run the malicious script on all other peripheral devices connected to the hacked computer, as well as on other computers connected to the same network.

Ransomware from the Crysis family initially targeted mostly individual PC users, however, since the beginning of February cybersecurity researchers have identified a new trend in the development of the malware family. Apart from the staggering growth in the number of attacks and the worldwide expansion of the ransomware, the attackers have also changed their strategy and are now mainly targeting large corporations and major institutions. For that purpose, while scanning for open RDP ports, the hackers now try to find out whether the computers connected to a particular network are corporate computers, in which case they are more likely to continue with the attack. Logically, the reason for that shift is the fact that companies are more likely to pay a high amount of ransom in order to get their data back.

Technical Data

As already mentioned, the malware is installed manually on the target machine. However, before the actual installation, and before the start of the encryption process, the ransomware owners drop some keylogging programs through which they can monitor the victim's activities, and collect general system data as well as personal data related to the particular user. Exactly through such credentials harvesting and monitoring activities, the hackers can extend the scope of the attack and compromise other devices or resources connected to the same network. At the same time, the collected data also allows the hackers to customize the amount of the required ransom, depending on whether their victim is an individual user or a company. As a consequence, this amount can reach thousands of dollars if the Crysis ransomware variant has hit a large corporate network, for example.

After installation, among the first actions performed by the ransomware is to create its own startup keys in the Windows registry, as well as copies of its code in folders containing legit Windows files, like C:\Windows\System32, C:\Program Data, C:\Program Files, and C:\Users\Programs\Startup. This is done in order to ensure the malware's persistence and to allow the encryption of recently created files. Malicious files, processes, and registry keys belonging to Crysis can have random different names, so it is hard to recognize them immediately and to distinguish them from legitimate object belonging to the Windows operating system. This is one of the reasons why the removal of this ransomware typically requires a professional malware cleaning tool.

The next step in Crysis routine is to scan all files on the hard disk of the infected computer, comparing them against an inbuilt list of files suitable for encryption. Almost all popular file formats are included in that list, ensuring that the malware manages to identify and encrypt all files that can possibly contain valuable user data in any form. Furthermore, Crysis has turned into a real high-profile ransomware threat as its latest versions are capable of encrypting nearly every single file on the infected machine, including system files with no extension and executable files, and that no matter of the file location - on fixed, removable or networked drives. This is something unseen before in other ransomware cases, and it proves the fearsome malicious capabilities of the Crysis/Dharma ransomware family. As for the encryption engine employed by Crysis ransomware, as typical for the entire ransomware family, Crysis uses a mixture of RSA encryption and AES-128 encryption algorithms with the private key being stored on the hackers' server. Since its first appearance in 2016, the different ransomware threats from the Crysis family have appended different extensions to the encrypted files. In a chronological order starting from the very first version onwards, these extensions are: .crysis, .dharma, .wallet, .onion, .arena, .cobra, ,java, .arrow, .bip, .cmb, .brr, .gamma, .bkp, .monro, .boost, .adobe, .cccmn, .AUDIT, .tron. The latest version of Crysis detected in the middle of November this year adds the .Back and .Bear extensions to the locked files, while in some cases, the contact address of the attackers is also added to the name of the encrypted files, as well as a unique victim ID that is individually generated to each infected user.

After the encryption is complete, Crysis creates ransom notes in the form of text files in which the malware owners explain how they should be contacted by the victim and how the ransom should be paid. The malware typically creates two files for the ransom note - one HTML file that opens automatically and replaces the user's default desktop image, and a TXT file which is placed on the desktop, and in some cases, also in any infected folder. These ransom note files can be named Help_Decrypt_FILES.html, Help_Decrypt_FILES.txt, info.hta, Files encrypted!!.txt, while the ransom note itself states the following:

"Attention! Your computer was attacked by virus-encoder.
All your files are encrypted cryptographically strong, without the original key recover is impossible! To get the decoder and the original key, you need to to write us at the email:dalailama2015@protonmail.ch with subject "encryption" stating your id.
Write in the case, do not waste your and our time on empty threats.
Responses to letters only appropriate people are not adequate ignore.
P.S. only in case you do not receive a response from the first email address within 48 hours please use this alternative email goldman0@india.com."

Research shows that the two email addresses given in Crysis ransom note belong to domains located in the Czech Republic and India, yet it cannot be concluded from this fact that the malware also originates from these countries. A version that appeared in late 2017 instructs its victims to contact a different email address for payment instructions, namely cranbery@colorendgrace.com. Other known addresses used by the malware to communicate with its victims include Decryptallfiles@india.com, Tree_of_life@india.com, mailrepa.lotos@aol.com, Guardware@india.com.

Free decryption tools have been released for certain versions released before May 2017, while for the rest of the variants it is not uncommon that the encrypted files can only be recovered from backups. This comes from another malicious activity that Crysis is able to perform - it can be programmed to remove Shadow Volume Copies and System Restore Points, making thus the recovery of the encrypted data impossible without a professional backup recovery solution. This malware can also deploy additional Trojans and other threats on the infected computer, allowing the attackers, for example, to spy on all user activities in real time. Popular malicious payloads dropped by Crysis ransomware also include cryptocurrency miners, keyloggers, and other viruses.

Prevention and Removal Techniques

In order to avoid an infection with Crysis ransomware, it is recommended to use strong passwords for your computer's communication channels. Additionally, users are advised to install a reliable anti-malware program, to enable a firewall, and to keep their system up-to-date at any moment. A Crysis ransomware infection can also be prevented by responsible and safe behavior on the Internet, which includes avoiding suspicious websites that can contain malicious content, ignoring email attachments from unknown senders, and downloading files, programs, and software updates only from authorized sources. Maintaining regular backups of all important data is also a must because, sometimes, that is the only way files locked by such a ransomware threat can be recovered after the malware has been removed from the system.

Once a computer has been infected with Crysis, it is not recommended to try to remove it without a professional removal tool. This type of malware drops its malicious files in the core of the Windows operating system, affecting crucial legitimate Windows applications and process and making it hard for an inexperienced user to locate and delete these without interfering with the regular operations of the computer. It is of crucial importance to clean your PC completely from Crysis ransomware, since if some part of the malware remains on the system it can easily start to encrypt files again.

When the Crysis Ransomware enters a computer, it scans the affected hard drives in search for files to encrypt. In its configuration settings, the Crysis Ransomware contains a list of file extensions that it searches for. Common file types that are encrypted during a Crysis Ransomware attack include:

.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps.

The '.AUF File Extension' Ransomware is a file-encryption Trojan whose attacks may render the majority of your files inaccessible swiftly. This is because this threat is programmed to use a secure file-locking algorithm that utilizes a unique generated encryption key to lock the contents of popular file formats like documents, images, videos, archives and others. All encrypted data will have its name changed to include the '.AUF' extension so that, for example, a file called 'backup.rar' would be named 'backup.rar.AUF' after the attack.

The '.AUF File Extension' Ransomware has been identified as a slightly modified variant of the Crysis Ransomware and, unfortunately, this means that its victims will not be able to rely on a free decryptor to assist them with the recovery of their files. After the '.AUF File Extension' Ransomware carries out its attack, it drops a ransom note whose purpose is to provide the victims with contact details and instructions on what they should do if they want to be able to use their files again. The bad news is that the solution the attackers offer is rather expensive – they demand to receive a Bitcoin payment in exchange for their decryption software. We would not suggest sending money to anonymous cybercriminals who have just infected your computer with malware, because it would be very easy for them to take the money without providing you with anything in return. The email used for this particular member of the Crysis Ransomware family is Decisivekey@tutanota.com.

As a victim of the '.AUF File Extension' Ransomware, you should not even consider contacting the attackers, because it is unlikely that anything good will come out of this. Instead, you should proceed to run a trustworthy anti-malware tool immediately, and use its scanner to eradicate all files linked to the '.AUF File Extension' Ransomware. When this task is complete, you should proceed to the last step of the recovery process, which requires you to restore your files from a backup or use alternative file recovery utilities.

Technical Information

Screenshots & Other Imagery

SpyHunter Detects & Remove Crysis Ransomware

File System Details

Crysis Ransomware creates the following file(s):
# File Name MD5 Detection Count
1 3A13.tmp.exe cced409e95d6c2e44823381df3880d96 139
2 2110.exe 2566cea080491a6e9c64102b66cb2d1a 102
3 C877.tmp.exe b0f46ff6a22ba47e9847c60bf231d16d 94
4 67E7.tmp.exe 846b068b46c7e07fd375c5337b50476b 91
5 731.tmp.exe 7c7d821e85b6f5d237612a0ad63c5244 85
6 conhost.exe e17c681354771b875301fa30396b0835 80
7 53BB.tmp.exe b510cded2f1ecb49eca3bf95b2ce447e 77
8 914E.tmp.exe dcfd90a02459ee819324c016c1d8ced3 76
9 DD27.tmp.exe 45cef6ecf660235aecb98dc1464e71cb 72
10 A32F.tmp.exe 967238434e258179705b842946715064 67
11 E62B.tmp.exe e853c4cbf08ee22314aa3774df173253 62
12 B7C9.tmp.exe 9390d7fcb41867482a31c355c311ba03 49
13 7bd2.tmp.exe bdcc1679cd27d8b9e601c58e4b2a4f4e 45
14 3CD.tmp.exe 299ed986a6988eb277a59c377d72f538 44
15 75E6.tmp.exe 6bd4da60c0a7e5f1cfa78c6f9ed46c82 38
16 20e12340.exe 054c992351af060048b6c6e0b4c74e53 38
17 99FE.tmp.exe 3b6920ae5d16db71e5faec28ec14839c 35
18 63D9.tmp.exe fb18d3a278711aa1c2aa810adc020fe7 21
19 a881.tmp.exe 289b13c43f1591d099b8fbf9a3c6fd52 17
20 bea04ab8.exe c693cee97c59515423021f0833fb7ae2 15
21 113_1.exe d514d2c83259736eb02e9c21c70cf7ce 12
22 1Ocean.exe 6493d3c8185bc890925ab2533072b560 10
23 y5sxvjna.part 681949435d7ea0b71d91078943411a39 9
24 d2c14b63.exe ad6695604fca996af8b61545b450581f 7
25 exp1mod.exe 16f83403eb45474dcb00395fc671bcdd 6
26 7b50d997.exe fea385d6b88e6cf0e5a3fa4a939bba43 3
27 cc08.tmp.exe 2cd0b38ee73521578c487b744606c63c 3
28 dfx+ychs.part cf00c5806fd9be5886fe65735244bf1e 0
More files

Registry Details

Crysis Ransomware creates the following registry entry or registry entries:
Regexp file mask
%APPDATA%\[RANDOM CHARACTERS]_201[NUMBERS]-[NUMBERS]-[NUMBERS]_[NUMBERS]-[NUMBERS].exe
%APPDATA%\exe.exe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\[RANDOM CHARACTERS]_201[NUMBERS]-[NUMBERS]-[NUMBERS]_[NUMBERS]-[NUMBERS].exe
%appdata%\microsoft\windows\start menu\programs\startup\[RANDOM CHARACTERS]payload.exe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Skanda[RANDOM CHARACTERS].exe
%APPDATA%\microsoft\windows\start menu\programs\startup\winhost.exe
%APPDATA%\osk.exe
%APPDATA%\setap[RANDOM CHARACTERS].exe
%APPDATA%\Skanda[RANDOM CHARACTERS].exe
%userprofile%\documents\system.exe
%windir%\system32\payload.exe
%WINDIR%\System32\Skanda.exe
%windir%\syswow64\payload.exe

Related Posts

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.