CryptON, also known as Nemesis or X3M, targets servers running Windows OS and is distributed and executed manually via Remote Desktop Protocol (RDP) brute force attacks. CryptON does not contain a file extension list so it encrypts any and all file types it finds on the infected server. It does, however, exclude C:\Windows, C:\Program Files, and the user profile folder to avoid impacting the boot operation and other critical system processes. CryptON deletes system recovery points to prevent victims from restoring files without paying the ransom. According to Emsisoft’s analysis team, files encrypted by CryptON are 16 bytes larger than the original file and append the following extensions to the file names:
UPDATE 4/4/2017: A new strain of this variant, called Cry9, began impacting victims around March 17, 2017. Attackers behind this campaign infected victims by conducting RDP brute force attacks and manually executing the ransomware once they gained access to the victims' servers. Files encrypted by Cry9 appear to be 16 bytes larger than the original files. File extensions associated with Cry9 include:
UPDATE 5/1/2017: A new version, dubbed Cry128, began appearing April 22, 2017. It is distributed via RDP brute-force attacks and deployed across networks from compromised servers. It deletes system recovery points to prevent victims from recovering their files using Shadow Volume Copies. It encrypts all file types with the exception of files located within C:\Windows, C:\Program Files, and the user profile folder to prevent the corruption of the boot process and other critical processes. File extensions associated with Cry128 include:
UPDATE 5/23/2018: Malwarebytes recently detected an active campaign attempting to deliver a new version of CryptON ransomware to victims via hacked Remote Desktop Services. The variant appends .ransomed[@]india[.]com to the names of encrypted files. A ransom note named HOWTODECRYPTFILES.html is placed in every folder where files have been encrypted. The NJCCIC is not aware of any free decryption tools for this variant of CryptON.