Cyrat Ransomware

The Cyrat Ransomware is a rather peculiar crypto locker malware threat that encrypts files and demands payment for their restoration. The Cyrat Ransomware is compiled using a Python version 3.7 and is converted into a Windows PE file through PyInstaller, as discovered by the G DATA researchers.

Once executed onto the compromised computer, the Cyrat Ransomware poses as a DLL fixer. It generates a window with randomly selected DLL files that it claims to be repairing at the moment. What is happening, however, is that at the same time, the files found on the system are being encrypted, and when the process has finished, a message that the DLL files have been fixed successfully is displayed in the window.

The Cyrat Ransomware targets specific folders on the compromised machine - 'Desktop,' 'Downloads,' 'Pictures,' 'Music,' 'Videos,' and 'Documents,' and close to 200 different file types for encryption, taken from a hardcoded list of extensions. Among the targeted files are MS Office documents, databases, audio and video files, image files, etc. However, there is a bug with several of the listed extensions as the hackers left some of them with a dot before the extension itself - '.ARC,' '.cpp,' '.cgm,' '.js,' '.fla,' '.asc,' '.crt' and '.sch'. According to the researchers who analyzed Cyrat, the malware will never encrypt these file types.

In a rather unique decision, the creators of Cyrat have decided to stray away from using any of the popular encryption techniques employed by ransomware threats, such as an asymmetrical combination of two or more crypto-graphical algorithms. Instead, Cyrat uses Fernet to encrypt the user's files. Fernet is a symmetric encryption method designed for small files that can be encrypted in the RAM specifically. This decision could be problematic because the malware doesn't distinguish between small files and ones that are several gigabytes in size.

The ransom note dropped by the Cyrat Ransomware is contained in a text file placed in each of the specific folder targeted. The name of the file is 'RANSOME_NOTE.txt.' An image downloaded from 'images.idgesg.net' and stored at 'Documents\background_img.png' is set as a new desktop background. It doesn't contain any text.

The Cyrat Ransomware is equipped to delete the Shadow Volume Copies and can disable legitimate Windows tools such as CMD and the Task Manager. To achieve persistence, the malware copies itself to the autostart folder at '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.'

Although according to the researchers at G DATA, the current variant of Cyrat Ransomware appears to be a work-in-progress, the hackers could release a final version at any point. They also found signs in the code that points to the future expansion of the targeted platforms to include Darwin and Linux systems.