Crysis is now indicating a real capacity to replace other notorious high-profile ransomware threats.
Recently, security experts have turned their focus to the high-profile threats such as Locky, Zcrypt, CryptXXX and its rebranded UltraCrypter update, that keeps the online world on toes. In the meantime, an old and well-known threat from the backyard silently developed to an updated infection with unseen malicious capabilities. The former low-profile ransomware known as Crysis is now indicating a real capacity to replace the notorious high-profile ransomware threats and spread its fearsome malicious activities.
This updated cryptovirus is packed with some real malefic features, security experts alarm. From a brief analysis, it appears that Crysis now is able to encrypt literally all type of files without making an exception. It is able to lock even the system files with no extension and it does that on all drives that are available – be they fixed, removable or networked drives.
This behavior is really unusual, unlike most of the other ransomware scripts that encrypt a list of specific files. Another distinguishing feature that security experts point out is, that Crysis also applies an encryption to various executable files such as .exe and .dll. This is something not common for the known high-profile ransomware families if we are to make a comparison. As a result, the compromised computer system may become unstable due to certain parts of the OS getting encrypted. In other cases, Crysis ransomware can even run with administrator privileges on some Windows operating systems. This gives its encryption mechanism the ability to reach even more system files.
As any other ransomware, Crysis also requires a ransom from the victims. They are given detailed instructions how to make the payment in order to recieve the necessary encryption key. For this key the hackers are seeking bitcoins worth 400 to 900 euros – one of the highest ransom demands known. The instructions could be found in a text file that gets automatically downloaded into the infected computer’s desktop folder.
Crysis was first spotted in February this year, but back then it did not indicate serious malicious abilities and was reagarded as a low-profile ransomware threat. With the new updates, its methods of distribution may vary as it is aiming to infect users in numerous ways. This ransomware is mostly spreading through spam emails, Trojan horses, and malicious attachments. It usually comes as a very well disguised threat by using double file extension, which makes executable files appear to be non-executable. Users should beware that such malicious files, caring the Crysis infection inside, could be found in various online locations and shared networks.
The malware does not stop only with encrypting the victims data, but also collects various information such as the infected computer’s name and some encrypted files that are later sent to a remote command and control server. The malicious script executes every time when the system gets restarted, thanks to some registry entries it sets into the system.
Packed with a handful of malicious tools, Crysis ransomware gains a stronger foothold in the system than any other high-profile ransomware, making itself more difficult to remove. Its updates are now posing a challenge to the security experts, that should not underestimate the fast evolution of ransomware.