While the security experts were waiting for the high-profile ransomware families to expand their spheres of influence, they discovered that the low-profile ransomware known as Crysis has been gaining momentum and stole the show at once.
Crysis ransomware features some decidedly malicious traits. The ESET experts blog post “We Live Security”writes that Crysis encrypts virtually all file types – including those with no extension – on fixed, removable and network drives.
“Most ransomware families are encrypting files with specific extensions, so this behavior is unusual,” the EMEA security specialist Ondrej Kubovic stated. “Also, various executable files (.exe, .dll) get encrypted which is not common in comparison to high-profile ransomwares.” As a result, the “affected computer may become unstable.”
On some Windows operating systems, Crysis ransomware can even run with administrator privileges, giving its encryption mechanism access to even more files.
Similarly to the other ransomware, the victims of Crysis must comply with given payment instructions in order to restore their computers’ normal functionality. In this case, the hackers are seeking bitcoins worth between 400 and 900 euros. The payment instructions are delivered via a text file that gets dropped into the affected computer’s desktop folder.
Crysis ransomware was first noted in February, this year, and it is spreading through a number of vectors. The most common one turns out to be delivered via spam emails which use double file extensions that make executable files appear to be non-executable.
Alternately, cyber criminals are also “… disguising malicious files as harmless-looking installers for various legitimate applications, which they have been distributing via various online locations and shared networks,” the ESET blog post writes.
“We have seen the malware executable faking names of common applications such as: WinRar, MS_Excel, iExplore, setup2 [and] setup22,” Kubovic said.
The trojan also collects the victim computer’s name and some encrypted files and sends them to a remote command and control server. Also, it sets certain registry entries so that it automatically executes any time the system is restarted.
“By setting the registry entries, Crysis gains a stronger foothold in the system, making itself more difficult to remove,” Kubovic explained.