Crysis Ransomware Gaining Foothold, Sets Sights to Take Over TeslaCrypt

crysis-ransomwareWith the departure of TeslaCrypt (detected by Trend Micro as TROJ_CRYPTESLA.A) from the ransomware circle, similar high-profile extortion malware such as CryptXXX (RANSOM_WALTRIX.C), Locky (Ransom_LOCKY.A) and Cerber (RANSOM_CERBER.A) are expected to carve their way into the market share previously owned by TeslaCrypt. Variants of CryptXXX, Locky and Cerber even went through major overhauls and had multiple, successive updates to expand their territories among infected users and organizations. They do so by introducing new capabilities such as network scanning, DDoS and information theft, adding more distribution methods and attack vectors, as well as selling the malware in the Deep Web as customizable toolkits for budding cybercriminals.

According to a  report by security firm ESET another player in ransomware operations is quietly, but quickly, gaining a foothold on individual users and enterprises,. It is a low profile ransomware named Crysis, which is setting its sights to become TeslaCrypt’s successor, having already shown signs of being more prevalent than Locky.

[Read: How Does Ransomware Work?]

First detected in February, Crysis slithers its way to a user’s computer through emails containing attachments with double file extensions, which will  make the malicious files appear as non-executable files. It also hitches a ride via spam emails with compromised URLs and websites that users may unwittingly click or visit. ESET’s research showed that the malware is also distributed to online locations and shared networks disguised as a harmless installer for various legitimate programs and applications such as WinRAR, Microsoft Excel and iExplorer.

Crysis is also capable of encrypting more than 185 file types on fixed and removable drives (i.e. USBs and external disks), as well as network shares, through a combination of RSA and AES encryption algorithms. To ensure infection, Crysis deletes the system’s shadow copies, which serve as back-up copies of the computer’s files or volumes.

As a measure of persistence, the ransomware creates and enters new values to the Windows® Registry. This enables the malware to run every time the user logs in to the systemwhich thenmakes it more difficult to remove. Encrypted data are appended with a .crysis extension in their file names.

ESET’s security specialist Ondrej Kubovič added, “Upon execution, it encrypts all file types (including those with no extension), leaving only necessary operating system and malware files untouched. The trojan collects the computer’s name and a number of encrypted files by certain formats, finally sending them to a remote server controlled by the attacker. On some Windows versions, it also attempts to run itself with administrator privileges, thus extending the list of files to be encrypted.”

After encryption, a text file is dropped in the computer’s desktop folder–often accompanied by an image set as the desktop’s wallpaper. Unlike other ransomware, the information in the ransom note is limited to two email addresses which victims can use to communicate with the cybercriminals. The users are then instructed to buy the decryption tool needed to unlock the files via the bitcoin crypto-currency—with prices varying between 400 and 900 euros ($455–$1,022 as of June 8, 2016).

[Read: Why You Need to Back Up Your Files]

Another drawback to users and businesses is that Crysis also encrypts system files. Kubovič explained to SC Magazine, “Most ransomware families are encrypting files with specific extensions, so this behavior is unusual [...] Also, various executable files (.exe, .dll) get encrypted which is not common in comparison to high-profile ransomwares.” Consequently, Kubovic added that the “affected computer may become unstable”

This was the case with variants of the BadBlock and DMA Locker ransomware, which left affected users with inoperable systems and corrupted files before the ransom note can even be sent.

Given that Crysis is mainly distributed via spam emails and malicious URLs, users and businesses are urged to be wary of clicking links, downloading files or opening email attachments from unknown and suspicious senders. A solid back-up strategy is also an effective insurance against ransomware.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.