Hunting Ransomware Cry128

    Follow

    Ransomware Family:

    Crypton

     

    Variants:

    Cry9, Cry36, Cry128, nemesis

     

    Infection Technique:

    It appears that all variants of the CryptON ransomware (such as Cry9, Cry36, Cry128 ransomware) are infecting systems via RDP (remote desktop services) brute force attacks, which allows them to log into the victim’s server and execute the ransomware.

     

    Encryption Technique:

    AES encryption algorithm which works on the 128 byte blocks and also with the 1024 bit keys in the mode of ECB.

     

    Working:

    • Deletes shadow copies, so no backup files would be available to recover.
    • Does not encrypt files under C:\Program files, C:\Windows, in order to make sure boot operation is not impacted.
    • Does not encrypts network drives.
    • Encrypts all the supported files on the system by coping and encrypting. Then it deletes the original files.

     

    Extensions:

    • mf8y3
    • 63vc4
    • onion.to._
    • onion._
    • onion.to._
    • id-_[qg6m5wo7h3id55ym.onion.to].63vc4

     

    Ransom Notes:

    • ### DECRYPT MY FILES ###.html
    • ### DECRYPT MY FILES ###.txt
    • txt
    • -DECRYPT-MY-FILES.txt

     

    Partial content of notes:

    *** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

    To decrypt your files you need to buy the special software. To recover data, follow the instructions!

    You can find out the details/ask questions in the chat: ..........

     

    Ransom Payment method:

    Normally Cry128 uses a payment portal hosted on tor and tor2web links and demands payment of .15 bit coins. Detailed instruction will be present in the ransom notes.

    General advice, not to pay the ransom as it’s not guaranteed that you will get your data back and to avoid supporting criminals.

     

    What to do, if infected:

    • Quarantine the system to stop further infection to other systems
    • Scan full system with security software’s to disinfect the system

     

    How to get recover encrypted data:

    There are online decryption tools are available, please follow steps mentioned in the below link.

    https://decrypter.emsisoft.com/howtos/emsisoft_howto_cry128.pdf

     

    How to Protect:

    • Disable RDP Service, and keep it only where it is required.
    • First and foremost keep strong passwords; since attackers are successfully using brute force attacks, keeping strong passwords will make the attack impossible.
    • Make habit of regular back up in an offline storage.
    Was this article helpful?
    0 out of 0 found this helpful

    Comments