CryLocker, also known as Central Security Treatment Organization (CSTO) or Cry Ransomware, targets Windows OS and it is distributed via the Sundown exploit kit. Once a system is infected, CryLocker collects information such as the Windows OS version and bit-type, the current service pack, the user and computer names, as well as the type of CPU. This information is then sent via UDP to 4096 different IP addresses, one of which is a C2 server. CryLocker also compiles this information, as well as a list of the victim’s encrypted files, into a fake PNG file and uploads it to Imgur.com. Imgur then responds with a unique file name which CryLocker broadcasts via UDP to the 4096 IP addresses, notifying its C2 server that a new infection has occurred. CryLocker also uses the WlanGetNetworkBssList function of the victim’s system to compile a list of nearby wireless local area networks (WLANs) Set Service Identifiers (SSIDs) and then queries the Google Maps API to determine the victim’s location. CryLocker makes a backup of certain shortcuts on the victim’s desktop and stores them in a folder called old_shortcuts, the purpose of which is currently unknown. It deletes Shadow Volume Copies and encrypts targeted files, appending .cry to each encrypted file name. To maintain persistence, CryLocker creates a randomly-named scheduled task that launches when the victim logs into the system. CryLocker demands a ransom payment of $625 USD worth of Bitcoin and threatens to double the amount to $1250 if the ransom is not paid within 3 days and 18 hours.
- Bleeping Computer provides more information about CryLocker here.
- The NJCCIC is not currently aware of any free decryption tool available for CryLocker.