carbonite logo

Commonly searched topics:

backupcloud backupaccount sign in

Article · Jul 5, 2016

Crysis ransomware expands reach in wake of TeslaCrypt's demise

Color illustration of laptop screen showing a security warning.

The newest crypto-ransomware family known as "Crysis" is working on becoming one of the best known ransomware viruses—right up there with "Locky."

Cybercriminals using Crysis often incorporate double file extensions into their attacks, a technique which makes the hidden Crysis ransomware executable appear non-executable. Other attackers are disguising Crysis as a harmless installer of various applications. To drive traffic to the ransomware, they're advertising their fake installer on tech support forums, social media, and other online locations.

Surprising end to TeslaCyrpt
Crysis gained a foothold in the notorious ransomware market in the wake of TeslaCyrpt’s demise. TeslaCrypt is known as the ransomware virus that infected users via the Angler Adobe Flash exploit. In May, researchers at the Slovakian IT security firm ESET learned that the developers behind TeslaCrypt planned to abort their operations.

Curious, the ESET researchers decided to reach out to the malware authors and request a copy of the master decryption key.

What happened next came as a surprise. TeslaCrypt’s operators made the key public—and ESET used the master decryption key to create its decryption tool. That decryptor allows all TeslaCrypt victims to decrypt their files for free.

As the dust settled, ESET began closely watching the activities of Crysis to see if it might become the next heavy-hitting family of ransomware viruses.

First detected by ESET back in February, the Win32/Filecoder.Crysis.B variant of the Crysis family is known for its ability to encrypt files on local, removable and network drives using a strong, difficult-to-crack encryption algorithm.

ESET explains in a blog post that computer criminals are using two vectors in particular to distribute the ransomware—double file extensions in malicious emails and advertisements for fake installers of various applications. Regardless of its distribution vector, whenever Crysis comes across a target computer, it first sets registry entries so that it will execute every time the system starts. It then initiates its encryption process.

Unlike other ransomware variants that target specific file extensions, Crysis encrypts all file types except for OS and other malware files – even those that don't have a file extension – using the RSA, AES encryption algorithm. It also collects information about the computer and sends it off to a remote machine.

Bitcoin ransom demand
ESET's researchers provide more information:

"After finishing its malicious intentions, a text file named How to decrypt your files.txt is dropped into the Desktop folder. In some cases, this is accompanied by a DECRYPT.jpg picture, displaying the ransom message as desktop wallpaper. The information initially provided is limited to two contact email addresses of the extorters. After sending the email, the victim receives further instructions."

Those instructions ask that the user send over a ransom payment ranging in value between $450 and $1,000. All payments are handled in Bitcoin to prevent researchers from tracking the ransom payments back to the malware authors.

But computer criminals such as those behind Crysis bank on victims paying the ransom fee to advance their business model. Don't give those miscreants the satisfaction. Make sure to back up your data frequently so that you can freely restore your files if you experience a ransomware infection.


David Bisson

David Bisson is an infosec news junkie and security journalist. He currently works as Contributing Editor for Graham Cluley Security News, Associate Editor for Tripwire's "The State of Security" blog, and Contributing Author to Metacompliance Ltd. and OASIS Open. David hopes his writing will help protect users against online threats, especially ransomware.

Related content