Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Cry (Central Security) Virus Remove and Restore .cry Files

cry-ransomware-main-sensorstechforumA virus pretending to be the CSTO, called Cry ransomware had been reported to use RSA-4096 and the .cry file extension to encrypt the files of computers infected by it. The virus wants it’s victims to pay the different sum, depending on the files. The ransom payoff which victims should pay the cyber criminals is usually in the range of 0.27 to 1.14 BTC (BitCoin). After the encryption has been performed, the cyber criminals give users a deadline of 100 hours to pay the ransom or they will double the amount. Users are strongly advised not to pay any ransom money set by Cry Ransomware in case they have been attacked. Instead, we recommend reading this article to learn how to neutralize this threat and attempt to restore your files.

Threat Summary

Name Cry Ransomware
Type Ransomware
Short Description The ransomware encrypts files with the RSA-4096 cipher and requests a ransom payoff up to 650 USD for the user to grant access back to the files.
Symptoms After encryption the Cry ransomware steals adds the .cry extension after every file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Cry Ransomware

Download

Malware Removal Tool

User Experience Join our forum to Discuss Cry Ransomware.

Cry Ransomware – How It Spreads

For it to infect more and more users on a daily basis, Cry ransomware aims to slither files that pretend to be original Microsoft Office, Adobe Reader or other types of documents or legitimate file formats. Such files may be redistributed on shady websites, uploaded as fake setups or fake documents that the user may be surfing the web for. They may also be pushed aggressively as a part of massive spam e-mail campaigns that replicates the Cry Ransomware’s files as attachments to convincing messages and topics of the e-mail to fool inexperienced users. Here are some examples of e-mail topics that may carry a malicious attachment or web link both containing Cry Ransomware:

  • “Your Purchase Is Complete.”
  • “Your Debit Card Has Been Closed.”
  • “The funds have been withdrawn.”

Cry Ransomware – What Does It Do

As soon as Cry Ransomware has infected your computer, the virus may begin to drop it’s payload. This may happen in several different ways:

  • By directly connecting to a remote host and downloading the malicious file (s).
  • By directly having the payload on your computer.
  • By having other malware such as Trojan.Downloader on your computer that can download the files.
  • By activating a .js(fileless ransomware) file.

As soon as it has been activated on your computer, the Cry virus may drop the following files:

  • !Recovery_{user id number with letters}.txt
  • !Recovery_{user id number with letters}.html
  • {malicious payload}.exe

All of the files may have copies in the %Startup% folder of windows or may have values strings in the following Windows Registry keys to run on system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

As soon as this has been done and the Cry virus is activated, it may immediately create a folder, named “old_shortcuts” on your desktop where it moves the files it encrypts.

The Cry virus is pre-programmed to encrypt approximately 650 file types. Here is a small portion of the files it looks for and encrypts:

→ .#vc, .$ac, ._vc, .00c, .07g, .07i, .08i, .09i, .09t, .10t, .11t, .123, .13t, .1pa, .1pe, .2011, .2012, .2013, .2014, .2015, .2016, .2017, .210, .3dm, .3ds, .3g2, .3gp, .3me, .3pe, .500, .7z, .aac, .aaf, .ab4, .ac2, .acc, .accd, .ach, .aci, .acm, .acr, .aep, .aepx, .aes, .aet, .afm, .ai, .aif, .ami, .arc, .as, .as3,.asc, .asf, .asm, .asp, .asx, .ati, .avi, .back, .bak, .bat, .bay, .bc8,.bc9, .bd2, ., .h, .h10, .h11, .h12, .hbk, .hif, .hpp, .hsr, .html, .hts, .hwp, .i2b, .iban, .ibd, .ico, .idml, .iff, .iif, .img, .imp, .indb, .indd, .indl, .indt, .ini, .int?, .intu, .inv, .inx, .ipe, .ipg, .itf, .jar, .java, .jnq, .jp2, .jpeg, .jpg, .js, .jsd, .jsda, .jsp, .kb7, .kd3, .kdc, .key, .kmo, .kmy, .lay, .lay6, .lcd, .ldc, .ldf, .ldr, .let, .lgb, .lhr, .lid, .lin, .lld, .lmr, .log, .lua, .lz, .m, .m10, .m11, .m12, .m14, .m15, .m16, .m3u, .m3u8, .m4a, .m4v, .mac, .max, .mbsb, .md, .mda, .mdb, .mdf, .mef, .mem, .met, .meta, .mhtm, .mid, .mkv, .ml2, .ml9, .mlb, .mlc, .mmb, .mml, .mmw, .mn1, .mn2, .mn3, .mn4, .mn5, .mn6, .mn7, .mn8, .mn9, .mne, .mnp, .mny, .mone, .mov, .mp2, .mp3, .mp4, .mpa, .mpe, .mpeg, .mpg, .mql, .mrq, .ms11, .msg, .mwi, .mws, .mx0, .myd, .mye, .myi, .myox, .n43, .nap, .nd, .nef, .nl2,.nni, .npc, .nv, .nv2, .oab, .obi, .odb, .ode, .odg,.odm, .odp, .ods, .odt, .oet, .ofc, .ofx, .old, .omf, .op, .orf, .ost, .otg, .otp, .ots, .ott, .p08, .p12, .p7b, .p7c, .paq, .pas, .pat, .pcd, .pcif, .pct, .pcx, .pd6, .pdb, .pdd, .pdf, .pem, .per, .pfb, .pfd, .pfx, .pg, .php, .pic, .pl, .plb, .pls, .plt, .pma, .pmd, .pnq, .pns, .por, .pot, .potm, .potx, .pp4, .pp5, .ppam, .ppf, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .pr0, .pr1, .pr2, .pr3, .pr4, .pr5, .prel, .prf, .prn, .prpr, .ps, .psd, .psp, .pst, .ptb, .ptdb, .ptk, .ptx, .pvc, .pxa, .py, .q00, .q01, .q06, .q07, .q08, .q09, .q43, .q98, .qb1, .qb20, .qba, .qbb, .qbi, .qbk, .qbm, .qbmb, .qbmd, .qbo, .qbp, .qbr, .qbw, .qbx, .qby, .qbz, .qcn, .qcow, .qdf, .qdfx, .qdt, .qel, .qem, ..vbs, .vcf, .vdf, .vdi, .vmb, .vmdk, .vmx, .vnd, .vob, .vsd, .vyp, .vyr, .wac, .wav, .wb2, .wi, .wk1, .wk3, .wk4, .wks, .wma, .wmf, .wmv, .wpd, .wpg, .wps, .x3f, .xaa, .xcf, .xeq, .xhtm, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xpm, .xqx, .yuv, .zdb, .zip, .zipx, .zix, .zka (and others…)

This vast array of files, if detected, are encrypted with a very strong RSA-4096 encryption cipher, the decryption for which may take a lot of time, if the computer decrypting it doesn’t break by then.

The scrambled files cannot be opened by any software and contain the .Cry file extension, for example:

cry-ransomware-encrypted-file-sensorstechforum

The .txt and .html file may automatically present themselves to the user displaying the Cry ransomware’s ransom payoff instructions:

cry-ransomware-ransom-note-sensorstechforum

Remove Cry Ransomware and Restore .cry Encrypted Files

Malware researchers strongly advise against paying off the black hat hackers behind this virus. Instead, it is recommended to remove this virus and wait for a decrypter to be released while you try to restore your files using the instructions below.

To remove Cry Ransomware and try to restore your files, follow the step-by-step tutorial after this article. We also advise you to wait for an update on this article as soon as a free file decrypter for Cry Ransomware has been released.

Manually delete Cry Ransomware from your computer

Note! Substantial notification about the Cry Ransomware threat: Manual removal of Cry Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Cry Ransomware files and objects
2.Find malicious files created by Cry Ransomware on your PC
3.Fix registry entries created by Cry Ransomware on your PC

Automatically remove Cry Ransomware by downloading an advanced anti-malware program

1. Remove Cry Ransomware with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Cry Ransomware in the future
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.