Security researchers have detected a new iteration of the CrySiS Ransomware which processes victim files with the .gamma extension. This new version follows the well-known behavior patterns and can cause many dangers to the infected hosts. It is based on the same modular platform and the criminals can create custom copies depending on the targets.
Our article provides an overview of the virus operations and it also may be helpful in attempting to remove the virus.
|Short Description||The ransomware encrypts files by placing the .gamma extension on your computer system and demands a ransom to be paid to allegedly recover them.|
|Symptoms||The ransomware will encrypt your files and leave a ransom note with payment instructions.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by CrySiS Ransomware |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss CrySiS Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
CrySiS Ransomware – Distribution Tactics
The CrySiS ransomware is being distributed using various tactics. The hackers behind it seem to have launched a global network campaign against computer users of all types — both individual users, companies and enterprise clients. A common tactic is to use a SPAM email campaign directly against the targets incorporating phishing tactics. They are designed to appear as messages that have been sent by popular Internet services or sites that the users might use. The emails can either contain the virus files (or payload carriers) as direct attachment or they are linked in the body contents.
A similar strategy is to construct download sites — they represent fake download sites, landing pages and software Internet portals.
These two methods are used to distribute the infected payload carriers of which there are two popular types:
- Documents — The hackers can embed the virus installation code in payload carriers such as popular document types: rich text documents, spreadsheets, databases and presentations. When they are opened by the victims a message prompt will appear asking the users to enable the built-in macros. If this action is allowed the virus installation will commence.
- Software Installers — The criminals behind the CrySiS ransomware may integrate the virus into application installers of popular software. The criminals typically choose programs that are chosen by end-users — creativity suites, system utilities and productivity solutions.
In certain cases the CrySiS ransomware files and the made payloads can be spread over file-sharing networks such as BitTorrent. These systems are widely used to distribute pirate content or legal creative products. The underground trackers primarily spread software and applications which are often CrySiS ransomware strains.
Advanced infection methods can include the set up of attack campaigns via browser hijackers. They are set up to be compatible with the most popular web browsers. The plugins are uploaded to their relevant repositories. The relevant descriptions often include promises of enhancing the browsers or adding new functionality. When they are installed the typical behavior pattern would be to modify the default settings in order to redirect the users to a hacker-controlled page. This is done by manipulating the default home page, search engine and new tabs page. When this step is complete the ransomware infection will follow.
CrySiS Ransomware – In-Depth Analysis
The CrySiS ransomware follows the set behavior pattern of previous iterations. The infiltrations begin with an information gathering module which is set to automatically harvest strings that can be categorized into two main groups:
- Personal Data — The hackers will acquire information that can be used to expose the identity of the victims. A data set can contain any of the following strings: their name, address, phone number, location, interests and etc.
- Campaign Metrics — The other CrySiS ransomware data extraction category is related to metrics that can be used to optimize the attack campaigns. The bulk of the hijacked data is made up of a reports of the installed hardware reports, user settings and operating system values.
This particular ransomware family can also be identified as Dharma.
The next module that can take advantage of the hijacked data is the stealth protection one. It is used to protect the CrySiS ransomware from security software that can interfere with the virus operations. The list includes anti-virus engines, virtual machine hosts and debug environments. Depending on the exact configuration the applications themselves may be deleted.
At this stage the CrySiS ransomware will have full control of the host system — the modular engine will be able to hook up to system processes, create ones of its own and set up administrative privileges for them.
Many popular virus versions choose to continue with the Windows Registry modifications — both changing the already existing ones and creating new entries belonging to the virus code. Note that if any operating system related strings are modified then this can cause overall performance issues while changes to individual applications may render certain functions non-available. The creation of custom entries is related to another technique — the persistent threat installation. Such malware infections will be started automatically once the computer is powered on and may additionally block access to the boot recovery menu.
Further malicious activity my include the removal of sensitive data such as System Restore Points and Shadow Volume Copies which are important when restoring the computers. If this action is done then the victim users will need to resort to a professional backup recovery solution, refer to our instructions for mode details on this.
Another popular virus step is the deployment of a Trojan module. Like other similar viruses the mechanism remains the same, the client will establish a secure connection to a hacker-controlled address. This will allow the hackers to spy on the victims in real-time, as well as take over control of their machines and deploy other threats. Some of the popular payloads that are dropped include other viruses or cryptocurrency miners. They have become very popular of late as they can process complex calculations and when the results are reported to the servers digital currency will be transferred over to the hacker’s wallets automatically.
As this is a new version of the CrySiS Ransomware family we anticipate that the various modifications of it can be customized in each target campaign. Newer versions are expected as the CrySiS main engine code can be acquired through the hacker underground forums.
CrySiS Ransomware – Encryption Process
There is no large difference in the encryption engine operations of this CrySiS ransomware strain in comparison to previous ones. Sensitive user data is encrypted with a powerful cipher and governed by a list of target file type extensions. The following example data may be affected:
Like previous versions the ransomware will mark the processed files with a specific extension — “.id-%ID%.[[email protected]].gamma.
This means that the the files will contain the unique user ID which is made of information harvested through the data stealer module. As always the .gamma extension files will also be mentioned in the special ransomware note created in the FILES ENCRYPTED.txt file.
Remove CrySiS Ransomware Virus and Restore .gamma Files
If your computer got infected with the CrySiS ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.