MalwareHunterTeam has discovered a new ransomware family that calls itself CryLocker and abuses legitimate services such as Google Maps, Imgur, and Pastee.
Researchers first spotted this ransomware towards the end of August, when they noticed something peculiar about its mode of operation, meaning the usage of UDP packets instead of TCP and several connections made to legitimate sites.
After further analysis, researchers discovered that CryLocker was infecting users and locking a large number of file types. Instead of sending all information to remote C&C servers, the ransomware was encoding this data as a PNG file, which they later uploaded to Imgur, or Pastee if Imgur didn't respond.
"Although the PNG file has a valid file header, it does not contain an image but the system information as ASCII strings," Trend Micro researchers discovered.
MalwareHunterTeam told Softpedia that he found PNG images inside CryLocker's Imgur album for over 10,000 victims, but mysteriously not from US or UK victims.
Trend Micro also says that the ransomware is hardcoded to avoid execution on PCs that use keyboard layouts specific to languages such as Belarusian, Kazakh, Russian, Sakha, Ukrainian, and Uzbek.
In its early stages, CryLocker also used the name Central Security Treatment Organization Ransomware, but this changed in versions released after September 5, the date at which it also shifted from using the RIG exploit kit to the Sundown exploit kit.
The name Central Security Treatment Organization is still used on CryLocker's Tor-based payment site. When displaying ransom notes on the user's PC, CryLocker changes their desktop but also leaves ransom notes in .txt and .html formats. The ransomware author asks 1.1 Bitcoin to unlock the user's files.
The ransomware also gathers local WiFi network details and shows the user's location on the globe using Google Maps. Using the Google Maps API, a user can determine the location of a querying device by the SSIDs of nearby wireless networks. CryLocker uses the WlanGetNetworkBssList function to get a list of nearby wireless networks and their SSIDs. It will then query the Google Maps API using these SSIDs to get the victim's location.
It is unsure what this is currently being used for, but this information could be used to generate an image of the victim's location using Google maps. This could then be used to further scare the victims into paying the ransom.
All files locked by CryLocker are appended with the .cry file extension. There's no free decrypter available at this time that would allow users to recover their files for free.
Recovery via shadow volume copies is not possible because the ransomware deletes them after encrypting files. CryLocker is different from other ransomware because it first copies the files, encrypts them, and then deletes the originals. Most ransomware variants just try to encrypt the original.
Technical analysis on the ransomware's mode of operation is available in reports from Trend Micro.
How to Remove CryLocker Completely----
Step 1. End CryLocker related running processes in Windows Task Manager.
– Press “Ctrl + Shift+ Esc” keys together to open processes tab in Windows Task Manager:
– Click on suspicious or unknown process related with CryLocker and click End Process:
Step 2. Uninstall CryLocker and unknown programs from Program and Feature.
– Press “Win + R ” keys together to open Run box:
– Type appwiz.cpl in Run box and click OK button:
– Right click on CryLocker and related unknown program, then click Uninstall:
Step 3. Remove malicious registry files related with CryLocker.
– Press “Win + R ” keys together to open Run box:
– Type regedit to open Registry and remove the following registry files generated by CryLocker:
HKEY_LOCAL_MACHINESOFTWAREsupWPM
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWpm
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Default_Page_URL”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKLM\SOFTWARE\Classes\AppID\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\[virus name]
No comments:
Post a Comment