Press Center

It has been two weeks since ESET found out that TeslaCrypt ransomware closed down its operations and created a TeslaCrypt decryptor that allows ransomware’s victims to get their files back. Since then, over 32.000 users around the globe have already taken this opportunity and downloaded the tool. 

But even with TeslaCrypt abandoning its territory, malware extortion families have lost none of their prominence amongst cybercriminals. With unceasing waves of JS/TrojanDownloader.Nemucod and JS/Danger.ScriptAttachment trying to download several variants of Locky, it would seem that this ransomware would be the one to lay claim to former TeslaCrypt’s turf. 

But according to ESET LiveGrid® statistics, there is another player in the game, showing an even higher level of prevalence - namely Win32/Filecoder.Crysis. 

ESET’s analysis shows that this nasty ransomware is able to encrypt files on fixed, removable and network drives. It uses strong encryption algorithms and a scheme that makes it difficult to crack in reasonable time.

During our research we have seen different approaches to how the malware is spread. In most cases, Crysis ransomware files were distributed as attachments to spam e-mails, using double file extensions. Using this simple – yet effective – technique, executable files appear as non-executable.

Another vector used by the attackers has been disguising malicious files as harmless looking installers for various legitimate applications which they have been distributing via various online locations and shared networks.

To become more persistent, Crysis ransomware also sets registry entries in order to get executed at every system start. 

Upon execution, it encrypts all file types (including those with no extension), leaving only necessary operating system and malware files untouched. The trojan collects the computer’s name and a number of encrypted files by certain formats, finally sending them to a remote server controlled by the attacker. On some Windows versions, it also attempts to run itself with administrator privileges, thus extending the list of files to be encrypted. 

After finishing its malicious intentions, a text file named How to decrypt your files.txt is dropped into the Desktop folder, in some cases accompanied by DECRYPT.jpg picture, displaying the ransom message as desktop wallpaper.

The initially provided information is limited to two contact email addresses of the extorters. After sending the email, the victim receives further instructions. Among other things, it includes the price of the decryptor (varying from 400 to 900 euros). The victim is instructed to buy BitCoins and send them to the operators’ BitCoin wallet specified at the end of the message. 

However, victims infected by older variants of Win32/Filecoder.Crysis have a decent chance of getting their files back without paying the attackers. Files encrypted by the older variants might be restored with the assistance of ESET technical support.

This article originally appeared on ESET’s blog WeLiveSecurity.com.

 

---

   

About ESET
ESET®, the pioneer of proactive protection and the maker of the award-winning ESET NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 26 years, the Company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32 technology holds the record number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. In addition, ESET NOD32 technology holds the longest consecutive string of the VB100 awards of any AV vendor. ESET has also received a number of accolades from AV-Comparatives, AV-TEST and other testing organisations and reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.

ESET recently updated its two-factor authentication (2FA) application, adding a secure validation to weak and static user passwords. This updated version of ESET’s 2FA application provides flexibility and deeper integration of 2FA into bespoke applications, making it the best cost-effective solutions for SMBs everywhere.

The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries. For more information visit https://eset.version-2.sg/ or follow us on Facebook.

 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. Headquartered in Hong Kong, the Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Version 2 Limited.
For more information, please visit www.version-2.com.sg or call (65) 6296-4268.