The CrySiS ransomware variant is attacked. Are you looking for it? The crysis Virus Variant

Source: Internet
Author: User
Tags file info remote rdp

The CrySiS ransomware variant is attacked. Are you looking for it? The crysis Virus Variant

The CrySiS ransomware variant has been attacked. Have you tried it? Recently, I received a report from the customer that the server file was encrypted by the ransomware and contacted the customer to obtain the corresponding sample after remote emergency response, this sample is the latest variant of the CrySiS family.

CrySiS ransomware disappeared for a while after its universal key was published in May 2017. Recently, it was found that new variants of this ransomware are active, the attack method is also through remote RDP brute-force cracking, implanted into the user's server for attack, the encrypted file suffix is. java, since CrySiS uses the AES + RSA encryption method, it cannot be decrypted at present. It can only be found when hackers publish new keys, previous samples were found to be generated by other hackers who did not obtain the source code by analyzing the CrySiS ransomware payload, during the analysis, we found the path to the pdb file of the CrySiS ransomware payload. It may be that the hacker has obtained the relevant source code or the author of the ransomware has started committing another crime ,:

In addition, from the perspective of file Compilation Time, the samples are relatively new ,:

Sample Behavior Analysis

(1) ransomware first creates mutex variables to prevent multiple runs ,:

(2) copy itself to the corresponding directory. The corresponding directory list is as follows:

% Windir % \ System32

% Appdata %

% Sh (Startup) %

% Sh (Common Startup) %

After the sample copies itself to the corresponding directory, set the auto-start item ,:

At the same time, it will release a configuration file Info. hta for ransomware under the directory corresponding to the sample, and set it as a self-startup Item to bring up the corresponding ransomware interface, as shown in:

(3) enumerate the corresponding services on the computer and end the process ,:

The corresponding service list is as follows:

Windows Driver Foundation

User mode Driver Framework


Windows Update


Security Center


Windows Management



Diagnostic Service Host


VMWare Tools

VMTools. Desktop

Window Manager Session Manager


The disassembly code is as follows:

(4) enumerate the corresponding processes in the computer and end the process, as shown in:

The process list is as follows:








From the list above, we can see that this ransomware mainly ends the corresponding database programs to prevent these programs from occupying the corresponding files and cannot encrypt the database files on the server. The corresponding disassembly code is as follows:

(5) Remove the corresponding shadows in the computer to prevent restoration of files by means of data recovery, as shown in:

View the process list ,:

The corresponding disassembly code is shown in:

(6) traverse the shared directory files of the enumerated LAN and encrypt the shared directory files, as shown in:

(7) The file encryption process is as follows:

(A) cyclically traverse the file directories and find related files. If the following files are used, encryption is not performed to ensure that the computer system runs normally. The related file names are as follows:

Boot. ini; bootfont. bin; ntldr;; io. sys;

The disassembly code of the enumerated file is as follows:

(B). Use the memory to decrypt the string and get the suffix of the file to be encrypted ,:

The file extension of ransomware encryption is as follows:

.1cd2.16.3ds2.16.3fr2.16.42422.16.3gp2.16.7z;. accda;. accdb;. accdc;. accde;. accdt;


Middleware;. cub;. dae;. dat;. db;. dbf;. dbx;. dc3;. dcm;. dcr;. der;

.Dib0000.dic0000.dif0000.divx0000.djvu0000.dng0000.doc0000.docm0000.docx ;. dot ;. dotm ;. dotx ;. dpx ;. dqy ;. dsn ;. dt ;. dtd ;. dwg ;. dwt ;. dx ;. dxf ;. edml ;. efd ;. elf ;. emf ;. emz ;. epf ;. eps ;. epsf ;. epsp;

Break;. icb;. ics;. iff;. inc;. indd;. ini;. iqy;. j2c;. j2k;. java;. jp2;. jpc;

.Jpe;.00000000.jpf0000.jpg ;. jpx ;. js ;. jsf ;. json ;. jsp ;. kdc ;. kmz ;. kwm ;. lasso ;. lbi ;. lgf ;. lgp ;. log ;. m1v ;. m4a ;. m4v ;. max ;. md ;. mda ;. mdb ;. mde ;. mdf ;. mdw ;. mef ;. mft ;. mfw ;. mht;

.Mhtml? ;. mpeg ;. mpg ;. mpv ;. mrw ;. msg ;. mxl ;. myd ;. myi ;. nef ;. nrw ;. obj ;. odb ;. odc ;. odm ;. odp ;. ods ;. oft ;. one ;. onepkg ;. onetoc2 ;. opt;

Pipeline;. pnm;. pot;. potm;

Break;. raw;. rdf;. rgbe;. rle;. rqy;. rss;. rtf;. rw2;. rwl;



After encryption, the corresponding file extension will be compared, and then the above file type will be encrypted. The corresponding disassembly code is as follows:

(C) use memory decryption to obtain the encrypted character string of the file name, as shown in:

The suffix of the encrypted file is: file name. id-AC8D65A2. []. java form

(D) When encrypting a file, first determine the file size. When the file size is greater than 0 × 180000 bytes, encrypt the file content directly and rename the file, when the file size is less than or equal to 0 × 180000 bytes, create a new file, encrypt the content of the old file, write it to the new file, and delete the old file. The related code is as follows:

After the file is encrypted, if the file size is smaller than 0 × 180000 bytes, the following information is written before the end of the file for the hacker to decrypt the file. The related disassembly code is as follows:

The unending layout of the encrypted file is as follows:

Dynamic debugging is shown in:

After the file is encrypted, delete the original file, as shown in:

For files with a file size greater than 0 × 180000 bytes, after the file is encrypted, the following information is written before the end of the file for the hacker to decrypt the file, as shown in:

The unending layout of the encrypted file is as follows:

Rename the original file. The code for dynamic debugging is as follows:

The unending data of the encrypted file is as follows:

(E) The size of the encrypted key block is 184 bytes. The first 32 bytes store the random number key after RC4 encryption. This key is used to encrypt the document afterwards. To enhance randomness, the program reads the time counter through the RDTST function, and finally obtains the key through RC4 encryption, as shown in the Code:

The 33rd-byte key block stores the system serial number GUID: 905D7E25h, which is used as a unique identifier. The next 128 bytes will store the RSA-encrypted random key, while the SHA-1 value of the RSA public key will be stored in the last 20 bytes. The related disassembly code is as follows:

Shows the generated key segment structure:

(8) The ransomware also connects to the remote server for related operations. Because the server data is disabled during debugging, you can only view the data through the corresponding disassembly code. dynamic debugging finds the following functions:

00418804 socket

00418808 send

0041880C recv

00418810 connect

00418814 closesocket

00418818 gethostname

0041881C inet_addr

00418820 ntohl

00418824 htonl

00418828 ntohs

This function may send key data and system information to the hacker's server.

(9) The ransomware decrypts the relevant API function name in the early stage and obtains the relevant address, as shown in:

The process of dynamically debugging the tracking and obtaining the IAT table address is as follows:

(10) The main function disassembly code of the entire ransomware is as follows:

(11) The user's computer is infected with the ransomware virus. The behavior is as follows:

Ransomware calls the rundll32.exeor mshta.exe process to execute the ransomware file Info. hta. Several ransomware interfaces are displayed, as shown in. The command is as follows:

Defense methods

The security lab reminds our partners to pay attention to the following security measures:

1. Do not click emails and attachments with unknown sources

2. patch your computer in time to fix vulnerabilities

3. regular non-local backup of important data files

4. Install professional Terminal/server security protection software

5. crySis ransomware is mainly spread through RDP brute-force cracking. We recommend that you disable the RDP service and encrypt the files under your shared directory files, we recommend that you disable shared directory files.

6. disable unnecessary file sharing permissions and unnecessary ports, such as 445,135,139,338.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.