A new piece of ransomware named Crypton was discovered by the security researcher MalwareHunterTeam.
Lately, many .NET-based ransomware pieces flooded VirusTotal but most of them were poorly coded and unsophisticated. Crypton, on the other hand, is a little bit more advanced and complex compared to the rest of the newbies.
“It’s a ‘good’ one. At least compared to the latest .NET ones, this is not bad.” – MalwareHunterTeam told Bleeping Computer on Twitter.
Unfortunately, it is still unknown what kind of distribution method Crypton`s creators use for their product but the researchers have managed to find how the ransomware infects its victims. According to them, the infection process relies on a malware dropper, which the crooks use to gain a foothold on the targeted computer. They may use a malvertising campaign to do so or a spam email message.
After the dropper infects the victim, it unzips and installs the Crypton ransomware from a “crypton.exe” file. Statistics show that both the file and the dropper`s detection rates on VirusTotal are quite low.
Even though some scanners are detecting Crypton by a Hidden Tear variant, MalwareHunterTeam notes there are no clues for this labeling.
In the process of installation, the Crypton Ransomware gains boot persistence by modifying the Windows Registry. It uses the AES+RSA combination for the file encryption, which is preferred by other top-shelf ransomware families. The victims` data is locked with the AES key and then the AES key and IV are encrypted with the RSA public key. The private RSA key, which allows crooks to decrypt files is contained in the ransomware Command & Control server.
Crypton appends the “_crypt” extension at the end of each file name. For example, a file named “image.png” before the encryption, after the encryption it becomes “image_crypt.png”. The ransomware is in touch with its C&C from the very beginning and when the encryption process ends, it flips the “isDone” flag to notify its authors its job has been done.
When the encryption process is complete, Crypton displays a ransom note in English or in Russian, depending on the victim`s PC language. The same message is also dropped as a text file on the user`s Desktop. This ransomware`s ransom amount varies from 0.2 to 2 Bitcoins which equals $150 – $1,500 USD. Unfortunately, at the moment there is no way of decrypting files locked by the Crypton ransomware.
The Crypton`s C&C server has been recently taken down. In the last couple of days, accessing it, researchers saw an image and a quote from Oscar Wild and, now, instead of this message, the URL serves a 404 page.