New Ransomware Taking Over

Tuesday, June 14, 2016 @ 03:06 PM gHale

Everything is replaceable and that holds true even with ransomware. That is because three weeks ago TeslaCrypt ransomware shut down, but there is a new ransomware in the process of taking over.

Crysis ransomware’s first versions ended up discovered online in mid-February, said researchers at ESET.

Hike in New Type of Ransom Attacks
New Ransomware Hits, But Asks Small Fee
Ransomware Ups its Game
Ransomware Regenerates Every 15 Seconds

These versions, however, were not the greatest malware out there. But that was temporary.

Now, researchers said Crysis features a strong encryption mechanism that goes after local files, network shares, and even removable drives once it infects a target.

Crysis doesn’t bother targeting certain file extensions but encrypts every file it can get it hands on, except its own binaries and core Windows files. Even files without an extension won’t escape, the researchers said in a post.

Once the encryption process finishes, Crysis communicates to its C&C server, sends local computer details in order to identify the infected target, and tells it the number of files it encrypted.

At this point, the ransomware’s operations are almost done, and all that’s left to do is to drop a text file on the user’s desktop named “How to decrypt your files.txt” and then change the user’s desktop.

Crysis developers use two email addresses found in the text file and the image used as the desktop wallpaper. Users end up told to send an email to these two addresses in order to recover their files.

ESET said the payment fee varies between $450 and $1,000. Payment is handled via Bitcoin, to a wallet address each victim receives in the email reply.

ESET said Crysis might be the ransomware that takes TeslaCrypt’s place.

Leave a Reply

You must be logged in to post a comment.