The security researcher MalwareHunterTeam has discovered a new piece of ransomware, named CryLocker, which pretends to be from a phony organization, called the Central Security Treatment Organization (CSTO). This new ransomware infects users and encrypts their files, appending the “.cry” extension at the end. Then, for recovering their locked data, victims are asked to pay $625 (1.1 Bitcoin) ransom sum.
Even though this ransomware`s official name is CryLocker, it is also known as CSTO Ransomware, Cry Ransomware or the Central Security Treatment Organization Ransomware.
An analysis, conducted by MalwareHunterTeam, Lawrence Abrams and Daniel Gallagher, revealed that CryLocker has some unusual features and characteristics. For instance, it uses UDP to send information about its victims to the C&C, just like the Cerber Ransomware does. Also, CryLocker hosts this info about the victims on public websites like Pastee.org and Imgur.com and it queries the Google Maps API to find the location of the victim using nearby wireless SSIDs.
CryLocker is still under a process of analyzation and there is still a chance for a free decryptor to be created. That’s why users should keep an eye on VirusGuides.com’ news for updates.
When a user is attacked, CryLocker gathers information like the Windows version, the Windows bit-type, the user name, the PC name, the service pack and the type of CPU installed on the PC. Then, this info is sent to 4096 different IPs via UDP and one of them is the ransomware C&C. The crooks are probably using the UDP packet to better hide the C&C`s location from the authorities.
CryLocker also uploads this same info together with a list of all encrypted data to Imgur.com, by compiling it into a bogus PNG image file and then uploading it to an Imgur album. When the uploading process is complete, Imgur responds with a unique name for the filename. This filename is spread to the 4096 IPs via UDP informing the C&C that a new victim has been attacked.
CryLocker determines the location of a querying device by the SSIDs of nearby wireless networks, using the Google Maps API. The ransomware gets a list of the nearby wireless networks and their SSIDs utilizing the WlanGetNetworkBssList function. Then, it queries the Google Maps API using these SSIDs to find the exact location of the victim. Researchers are not sure why the ransomware actually does this. However, they assume this info could be used to generate an image of the victim’s location using Google maps and scare them even more into paying the ransom demanded.
The Encryption Process
When CryLocker attacks a PC it creates a backup of some shortcuts on the victim’s desktop and saves them in a folder, named “old_shortcuts”. For now, the aim of these folder remains unknown. When encrypting files, the ransomware appends the “.cry” extension to each one. While encrypting, the ransomware also deletes the system’s Shadow Volume Copies using the “vssadmin delete shadows /all /quiet” command.
In order to provide persistence, the ransomware will create a random named scheduled task that will trigger when the user logs into Windows.
The CryLocker Ransomware also changes the victim`s wallpaper to a ransom note. The one, shown below, is the only ransom note, containing the name “CryLocker”
Finally, the ransomware creates a ransom note named, “!Recovery_[random_chars].html and !Recovery_[random_chars].txt” on the victim’s desktop. It contains the personal ID of the victim and instructions on how to access the TOR-based payment website.
In the ransom note there a link leading to the CryLocker TOR payment side that has a Window title of User Cabinet. In order to log in, users are asked to use the personal code from the ransom note.
When they log in, they are shown a page stating that it is part of some fake organization named the Central Security Treatment Organization. The ransom sum, which victims should pay, will also be shown.
The site also has a payment page with the bitcoin address which the victims should send the payment to. There is also a support page that a victim can use to get in touch with the crooks.
Moreover, the payment site includes a free decryption of one file so victims should test it first, before paying.
When a file is submitted to the free decryption, it will decode it while you wait.
However, when tested, this decryption appeared to be not working properly. After the test, the file wasn’t recovered. With that in mind, if anyone plans on paying up, they are strongly advised to check if the decryption feature works first.