Crysis ransomware fills vacuum left by TeslaCrypt

TeslaCrypt has reached the end of the road, and other ransomware is ready to fill the vacuum left behind it. A relative newcomer to the market, Crysis ransomware is already laying claim to parts of TeslaCrypt’s territory.

Crysis ransomware

The Crysis ransomware family – not to be confused with the Crisis backdoor/spyware Trojan that targeted both Windows and Mac users some four years ago – is currently in its second iteration, and doesn’t differ much from other similar malware.

It’s first version dates back to February 2016, and according to ESET researchers, victims hit with it have a decent chance of getting their files back without paying the attackers (the company offered their help).

This latest version apparently uses strong encryption algorithms and a scheme that makes it difficult to crack in reasonable time.

Crysis encrypts (RSA, AES encryption algorithm) every file it finds on fixed, removable and network drives, except Windows system files and its own files.

It appends the .ID%variable%.%email_address%.xtbl extension to each of the encrypted files, and then drops the message for the victim, both in the form of a text file and desktop wallpaper:

Crysis ransomware ransom note

The victims are instructed to contact the crooks directly via one of the two offered emails addresses, and they ask for 400 to 900 euros (in bitcoin) for the decryptor that will restore the encrypted files to their original form.

“During our research we have seen different approaches to how the malware is spread. In most cases, Crysis ransomware files were distributed as attachments to spam emails, using double file extensions. Using this simple – yet effective – technique, executable files appear as non-executable,” ESET researchers shared.

“Another vector used by the attackers has been disguising malicious files as harmless looking installers for various legitimate applications, which they have been distributing via various online locations and shared networks.”