RANSOM_CRYSIS.F116LR
February 23, 2017
ALIASES:
Trojan-Ransom.Win32.Cryakl.aom (Kaspersky)
PLATFORM:
Windows
OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
INFORMATION EXPOSURE:
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It is capable of encrypting files in the affected system.
TECHNICAL DETAILS
File Size:
466,432 bytes
File Type:
EXE
Initial Samples Received Date:
23 Dec 2016
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan leaves text files that serve as ransom notes containing the following:
- to decrypt files write to this mail {contact email}
Dropping Routine
This Trojan drops the following files:
- {folders and subfolders of the encrypted files}\README.txt←serves as ransom note
Other Details
This Trojan renames encrypted files using the following names:
- {directory of the encrypted files}\email-{contact email}.ver-CL 1.3.1.0.id-{HID}@@@@@F438-5F1B.randomname-{random name}.{3 random letters}.{random extension}
It is capable of encrypting files in the affected system.