It has been two weeks since ESET created a TeslaCrypt decryptor, which allows victims of
the ransomware to get their files back. This came on the back of its
developers ceasing operations. Since then, over 32,000 users around the
globe have taken advantage of this opportunity and downloaded the tool.
But even with TeslaCrypt abandoning its territory,
malware extortion families have lost none of their prominence amongst
cybercriminals. With unceasing waves of JS/TrojanDownloader.Nemucod and JS/Danger.ScriptAttachment trying to download several variants
of Locky, it would seem that this ransomware would be the one to lay claim to
former TeslaCrypt’s turf.
But according to ESET LiveGrid® statistics, there
is another player in the game, showing an even higher level of prevalence –
namely Win32/Filecoder.Crysis.
ESET’s analysis shows that this nasty ransomware is
able to encrypt files on fixed, removable and network drives. It uses strong
encryption algorithms and a scheme that makes it difficult to crack in
reasonable time.
During our research we have seen different
approaches to how the malware is spread. In most cases, Crysis ransomware files
were distributed as attachments to spam emails, using double file extensions.
Using this simple – yet effective – technique, executable files appear as
non-executable.
Another vector used by the attackers has been
disguising malicious files as harmless looking installers for various
legitimate applications, which they have been distributing via various online
locations and shared networks.
To become more persistent, Crysis ransomware also
sets registry entries in order to be executed at every system start.
Upon execution, it encrypts all file types
(including those with no extension), leaving only necessary operating system
and malware files untouched. The trojan collects the computer’s name and a
number of encrypted files by certain formats, finally sending them to a remote
server controlled by the attacker. On some Windows versions, it also attempts
to run itself with administrator privileges, thus extending the list of files
to be encrypted.
After finishing its malicious intentions, a text
file named How to decrypt your files.txt is dropped into the Desktop folder.
In some cases, this is accompanied by a DECRYPT.jpg picture, displaying
the ransom message as desktop wallpaper.
The information initially provided is limited to
two contact email addresses of the extorters. After sending the email, the
victim receives further instructions.
Among other things, it includes the price of the
decryptor (varying from 400 to 900 euros). The victim is instructed to buy
bitcoins and send them to the operators’ bitcoin wallet specified at the end of
the message.
However, victims infected by older variants of
Win32/Filecoder.Crysis have a decent chance of getting their files back without
paying the attackers. Files encrypted by the older variants might be restored
with the assistance of ESET technical support.