Cry (CSTO) Ransomware Uses Google Maps, UDP and Imgur (Removal Guide)

Cry (CSTO) Ransomware Uses Google Maps, UDP and Imgur (Removal Guide)

Ransomware is quickly becoming a major threat in the cyber space since it’s easy to use, hard to track and decrypt and the ROI is high. As a result, it’s evolving and improving with horrific speed.

Cry ransomware, for example, also known as Central Security Treatment Organization and CSTO uses the User Datagram Protocol (UDP) to communicate and Imgur and Google Maps to spread itself. Although it’s a rather simple encryption Trojan, and not sophisticated like Zepto or Cerber3, Cry ransomware should not be underrated as no decryption for it has yet been found, and experts say it has affected 8,000 users in just 2 weeks.

Threat Summary

NameCry (CSTO) Ransomware
Short DescriptionEncrypts the user’s files with a strong encryption algorithm and requests to contact e-mail address to make a ransom payoff of approximately 2000 dolalrs in BitCoin.
SymptomsFiles are encrypted and become inaccessible and a .cry file extension is being added to them. A ransom note is left as a text file on the desktop.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Cry (CSTO) Ransomware


Malware Removal Tool

User ExperienceJoin our forum to Discuss Bart Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cry (CSTO) Ransomware Virus Uses UDP, Imgur and Google Maps to Collect and Communicate Victims’ Data

The User Datagram Protocol, or UDP, is the perfect protocol for network applications such as gaming, voice and video communications due to its low perceived latency and good quality. UDP is also used for applications requiring lossless data transmission.

The creators of Cry (CSTO) ransomware have chosen to use the UDP protocol in order to hide the location of the command and control server (C&C server). Once Cry infects a computer, it will gather information on the host such as the Windows and OS version, username, CPU type, installed service pack, etc. Then it will “communicate” that information via the UDP to 4096 different IP addresses, among which will be the hidden C&C server.

On another side, Cry uses Google Maps API to determine the victim’s location via Server Set Identifiers (SSIDs) of wireless networks in the given area. Experts have not yet, however, discovered why the Cry developers would need the victims’ locations. reported that Cry ransomware would also use websites such as and to host the collected information about the victims. Cry would then encrypt the collected information and compile it in a fake PNG file, and would send it to a photo gallery on In return, Imgur would rename the PNG file and “communicate” the new name via the UDP protocol to the C&C server.

According to researchers at Invincea, Cerber ransomware has also used similar technique with the UDP protocol in order to hide the C&C server location.

Cry (CSTO) Ransomware Virus In Detail

Cry ransomware also uses the name of a fake security organization – Central Security Treatment Organization – probably in order to appear legitimate to the users and thus to be more convincing as to why they need to pay the demanded ransom fee, which is 1.1 bitcoin, or $625. The Department of Pre-Trial Settlement or the Federal Agency of Investigation are also non-existent.

Once Cry ransomware is inside the computer, it will encrypt the victims’ sensitive data consisting of the following file types: BAT, TXT, LOG, DAT, MP3, JPG, WMV, BMP, XML, HTML, CSS and JS. The encrypted files will receive the .cry extension, hence the name of the ransomware. It will then delete the Shadow Volume Copies to prevent victims from restoring their files without paying the ransom.

Cry will then drop the ransom notes named “Recovery_[random_chars].html” and “!Recovery_[random_chars].txtencrypts” on the victim’s desktop with instructions.

The ransom note reads like this:

How did this happen?
Specially for your PC was generated personal 4096 bit RSA key, both public and private.
All your files have been encrypted with the public key.
Decrypting of your files is only possible with the help of the private key and de-crypt program.
What do I do?
If you HAVE REALLY VALUABLE DATA, you better NOT WASTE YOUR TIME, because there is NO OTHER WAY to get your files, EXCEPT MAKE A PAYMENT’

The victims are instructed on where they should click to pay the ransom fee.

Cry (CSTO) Ransomware Virus Removal

As mentioned earlier, Cry is quickly spreading around as it reached 8,000 infected users in just 2 weeks. Decryptors have not yet been developed and if your system has been attacked by Cry, we urge you to not pay the demanded amount. Cyber criminals may never send you a decryption key, and even if they do, Cry will remain in your system and may strike again.

It’s best to remove the virus from your system as soon as possible. Only then you could wait for a decryptor to be released or try to use a file recovery program to restore some of your data if possible.

Below you’ll find instructions on how to manually remove Cry, or what program to use to automatically remove the virus for you.

Boyana Peeva

Boyana Peeva

Believes that the glass is rather half-full and that nothing is bigger than the little things. Enjoys writing, reading and sharing content – information is power.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share